ibm security qradar : qradar hardware guide...chapter 1. integrated management module. the...
Post on 15-Mar-2020
32 Views
Preview:
TRANSCRIPT
IBM Security QRadarVersion 7.3.2
Hardware Guide
IBM
Note
Before you use this information and the product that it supports, read the information in “Notices” onpage 67.
Product information
This document applies to IBM® QRadar® Security Intelligence Platform V7.3.2 and subsequent releases unlesssuperseded by an updated version of this document.© Copyright International Business Machines Corporation 2014, 2019.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract withIBM Corp.
Contents
Introduction.......................................................................................................... v
Chapter 1. Integrated Management Module............................................................1
Chapter 2. Appliance Diagrams.............................................................................. 3
Chapter 3. QRadar SIEM hardware migration scenarios.......................................... 5Replacing a QRadar managed host............................................................................................................. 5Replacing a QRadar Console with an appliance that uses the same IP address.......................................8Replacing a QRadar Console with an appliance that uses a new IP address.......................................... 12
Chapter 4. QRadar M5 appliance overview........................................................... 17QRadar xx05.............................................................................................................................................. 17QRadar xx29.............................................................................................................................................. 19QRadar xx29-C...........................................................................................................................................20QRadar xx48.............................................................................................................................................. 22QRadar xx48-C...........................................................................................................................................24QRadar QFlow Collector 1202/1301........................................................................................................ 25QRadar QFlow Collector 1310...................................................................................................................26QRadar Event Collector 1501....................................................................................................................27QRadar Network Insights 1901.................................................................................................................28QRadar Network Insights 1901-C.............................................................................................................31QRadar Network Insights 1910.................................................................................................................32QRadar Network Insights 1910-C.............................................................................................................33QRadar Network Insights 1920.................................................................................................................34QRadar Network Insights 1920-C.............................................................................................................37QRadar Incident Forensics ....................................................................................................................... 38QRadar Incident Forensics-C.................................................................................................................... 39QRadar Network Packet Capture.............................................................................................................. 40QRadar Network Packet Capture-C...........................................................................................................42
Chapter 5. QRadar M4 appliance overview........................................................... 45QRadar xx05.............................................................................................................................................. 45QRadar xx28.............................................................................................................................................. 46QRadar xx28-C...........................................................................................................................................47QRadar 21xx.............................................................................................................................................. 49QRadar QFlow Collector 1201...................................................................................................................50QRadar QFlow Collector 1202...................................................................................................................51QRadar QFlow Collector 1202-C/1301-C.................................................................................................51QRadar QFlow Collector 1301...................................................................................................................52QRadar QFlow Collector 1310...................................................................................................................53QRadar QFlow Collector 1310 SR-C/LR-C................................................................................................ 54QRadar Event Collector 1501....................................................................................................................55QRadar Network Insights 1920-C.............................................................................................................55QRadar Incident Forensics........................................................................................................................ 57QRadar Packet Capture............................................................................................................................. 58QRadar Network Packet Capture-C...........................................................................................................59
Chapter 6. QRadar M3 appliance overview........................................................... 61
iii
QRadar xx05.............................................................................................................................................. 61QRadar xx24.............................................................................................................................................. 62QRadar 21xx.............................................................................................................................................. 63QRadar QFlow Collector 1201...................................................................................................................64QRadar QFlow Collector 1202...................................................................................................................64QRadar QFlow Collector 1301...................................................................................................................65QRadar QFlow Collector 1310...................................................................................................................65QRadar Event Collector 1501....................................................................................................................66
Notices................................................................................................................67Trademarks................................................................................................................................................ 68Terms and conditions for product documentation................................................................................... 68IBM Online Privacy Statement.................................................................................................................. 69General Data Protection Regulation..........................................................................................................69
iv
About this guide
The IBM QRadar SIEM Hardware Guide provides QRadar appliance descriptions, diagrams, andspecifications.
Intended audience
This guide is intended for all QRadar SIEM users responsible for investigating and managing networksecurity. This guide assumes that you have QRadar SIEM access and a knowledge of your corporatenetwork and networking technologies.
Technical documentation
For information about how to access more technical documentation, technical notes, and release notes,see Accessing IBM Security Documentation Technical Note (http://www.ibm.com/support/docview.wss?rs=0&uid=swg21612861).
Contacting customer support
For information about contacting customer support, see QRadar Support – Assistance 101 (https://ibm.biz/qradarsupport).
Statement of good security practices
IT system security involves protecting systems and information through prevention, detection andresponse to improper access from within and outside your enterprise. Improper access can result ininformation being altered, destroyed, misappropriated or misused or can result in damage to or misuse ofyour systems, including for use in attacks on others. No IT system or product should be consideredcompletely secure and no single product, service or security measure can be completely effective inpreventing improper use or access. IBM systems, products and services are designed to be part of alawful comprehensive security approach, which will necessarily involve additional operationalprocedures, and may require other systems, products or services to be most effective. IBM DOES NOTWARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOURENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
Please Note:
Use of this Program may implicate various laws or regulations, including those related to privacy, dataprotection, employment, and electronic communications and storage. IBM QRadar may be used only forlawful purposes and in a lawful manner. Customer agrees to use this Program pursuant to, and assumesall responsibility for complying with, applicable laws, regulations and policies. Licensee represents that itwill obtain or has obtained any consents, permissions, or licenses required to enable its lawful use of IBMQRadar.
© Copyright IBM Corp. 2014, 2019 v
vi IBM Security QRadar : QRadar Hardware Guide
Chapter 1. Integrated Management ModuleThe Integrated Management Module (IMM) is a management module that is used for systems-management functions.
On the back panel of each appliance type, the serial connector and Ethernet connectors can be managedby using the Integrated Management Module (IMM). You can configure the IMM to share an Ethernet portwith the IBM QRadar management interface; however, you can configure the IMM in dedicated mode toreduce the risk of losing the IMM connection when the appliance is restarted. To configure the IMM, youmust access the System BIOS settings by pressing the F1 key when the IBM splash screen is displayed.For further instructions on how to configure the IMM, see the Integrated Management Module User's Guidethat comes with your appliance.
© Copyright IBM Corp. 2014, 2019 1
2 IBM Security QRadar : QRadar Hardware Guide
Chapter 2. Appliance DiagramsView the diagrams and descriptions for the back and front panels of your appliance. These diagrams arerepresentations of an IBM QRadar appliance. Your system might vary, depending on the version ofappliance you purchased.
• Chapter 4, “QRadar M5 appliance overview,” on page 17• Chapter 5, “QRadar M4 appliance overview,” on page 45• Chapter 6, “QRadar M3 appliance overview,” on page 61
© Copyright IBM Corp. 2014, 2019 3
4 IBM Security QRadar : QRadar Hardware Guide
Chapter 3. QRadar SIEM hardware migrationscenarios
If your hardware reaches its end of life, you need to be able to process more events of flows, or you areconsolidating existing hardware, plan to migrate data from older IBM QRadar SIEM appliances to newQRadar appliances.
You have several options when you migrate:
• “Replacing a QRadar managed host” on page 5• “Replacing a QRadar Console with an appliance that uses the same IP address” on page 8• “Replacing a QRadar Console with an appliance that uses a new IP address” on page 12
Replacing a QRadar managed hostMigrate data from an older QRadar managed host (16xx, 17xx, or 18xx) appliance to newer hardware.Follow this process for non-HA appliances.
Before you beginEnsure that the following conditions are met:
• You recorded the network information for the old appliance, because you must manually type thisinformation into the network configuration for the new appliance.
• The software version of the new appliance matches the software version of the QRadar Console. Youmight be required to reinstall an ISO image for the appliance to downgrade or use an SFS fix pack toupgrade.
• You configured data backups to prevent potential data loss during the migration.
About this task
During migration, the IP address of the old appliance is assigned to the new hardware. The new hardwareis added to the deployment and then you move data while new events are collected from the network.
Procedure
1. Prepare your new hardware:a) Rack the appliance and connect network connections.b) Review the paperwork for your appliance to determine which QRadar version is installed on the
new hardware.2. Review your software version.
a) If your Console software version is older than the software on the appliance, re-install theappliance with the newest ISO that is less than or equal to the Console software version.Download the ISO file from Fix Central (www.ibm.com/support/fixcentral/).
b) Follow the installation wizard to complete the installation.c) Type a root password for the appliance.d) Type a temporary IP address and network information for the new hardware.e) Log in as a root user, and select the appliance type during the installation process.
f) If your Console patch version is newer than the software on the appliance, download and installthe SFS (software fix/patch) from Fix Central (www.ibm.com/support/fixcentral/).
3. Remove the old appliance from the deployment.
© Copyright IBM Corp. 2014, 2019 5
a) Log in to QRadar as an administrator.b) Click the Admin tab and click the System and License Management icon.c) From the Display menu, click Systems, and then select the old QRadar appliance.d) Click Deployment Actions > Remove Host.e) When prompted, click Remove to confirm the removal of the host deployment.
Attention: Don't delete the components for the Event Collector, and Event Processor,because these components are re-used.
4. Reassign the IP addresses to ensure that the decommissioned appliance doesn't cause an IPaddress conflict in the network after it is powered back on.
a) To reassign the IP address of the old appliance to any unused address:
1) Use IMM (Integrated Management Module) for remote access, or use the local Consolekeyboard, to log in to the command line of the old appliance as the root user.
2) Reassign the IP address of the old appliance by typing the following command:
/opt/qradar/bin/qchange_netsetup
b) Set the IP address for the new hardware:
1) Use IMM for remote access, or use the local Console keyboard to log in to the command line ofthe new appliance as the root user.
2) From the command line of the new appliance, type /opt/qradar/bin/qchange_netsetupto use same host name and IP address as the old appliance.
If you want to migrate old data to the new system, leave the existing system running andconnected to the network. The data is moved when the new appliance is running and collectingdata.
5. Add the new appliance to the deploymenta) Log in to QRadar as an administrator.b) Click the Admin tab and click the System and License Management icon.c) Click Deployment Actions > Add Host.d) If you're prompted to add old components from the deployment to the host, click Yes. Any
deployment components that were on the old appliance are reassociated with this host so thatany protocol-based sources are automatically enabled and migrated to the new appliance.
e) Click Save and Close.f) On the Admin tab, click the Deploy Changes icon.g) Verify that event or flow sources that were reporting to the original host are being processed in the
QRadar user interface.After you add the host back to the QRadar deployment, the deployment process ensures that therequired configuration is regenerated on the new appliance. After the new host is part of thedeployment, you can only use SSH access from the Console.
6. To copy data from the old appliance, you shut down the host firewall on the new appliance by typingthe command systemctl stop iptables.
7. Copy certificates and custom-generated key pairs from the old appliance to the new appliance toensure that log sources and scanners can connect to remote sources.
You must also migrate any custom generated private keys that you have by transferringthe /etc/ssh and /root/.ssh directories.
a) Log in to the old QRadar managed host as the root user.b) Copy the data from the old hardware to the new appliance by using the rsync command as in one
of the following examples:
6 IBM Security QRadar : QRadar Hardware Guide
Tip: For better performance when using a crossover cable solution, use rsync -av instead of rsync-avz.
Use this example for certificates:
Example: rsync -avz /opt/qradar/conf/trusted_certificates/ root@new_appliance:/opt/qradar/conf/trusted_certificates
Use these examples for SSH:
Example 1: rsync -avz /etc/ssh/ root@new_appliance:/etc/ssh
Example 2: rsync -avz /root/.ssh/ root@new_appliance:/root/.ssh
8. Transfer event and flow data to the new appliance.
You can use either rsync or SCP to complete the data transfer. These commands might require theroot user to accept SSH keys and provide the root password for the target server. The length of thisprocess depends on how much data needs to be transferred.
a) Log in to the old QRadar appliance as the root user.b) Copy the data from the old appliance to the new appliance (target server) by using the rsync
command, as in the following example:
Tip: For better performance when using a crossover cable solution, use rsync -av instead of rsync-avz.
rsync -avz /store/ariel/ root@new_appliance:/store/ariel
9. Optional: Copy over event collector data, if you have any data in /store/ec.a) Log into the old appliance as the root user.b) Stop ecs-ec-ingress on the old appliance by typing the following command:
systemctl stop ecs-ec-ingress
c) Log into the new appliance as the root user.d) Create a file on the new appliance to prevent ecs-ec-ingress from automatically restarting by
typing the following command:
touch /storetmp/ecs-ec-ingress.ecs-ec-ingress.manually_stopped
e) Stop ecs-ec-ingress on the new appliance by typing the following command:
systemctl stop ecs-ec-ingress
f) Copy the data from /store/ec on the old appliance to /store/ec on the new appliance.g) Remove the file created in substep d from the new appliance by typing the following command:
rm -f /storetmp/ecs-ec-ingress.ecs-ec-ingress.manually_stopped
h) Start ecs-ec-ingress on the new appliance by typing the following command:
systemctl start ecs-ec-ingress
10. Type the command systemctl start iptables after the configuration and data migration arecomplete.
What to do nextAfter the data transfer is complete, decommission the old appliance and unrack the obsolete hardware.
Chapter 3. QRadar SIEM hardware migration scenarios 7
Replacing a QRadar Console with an appliance that uses the same IPaddress
Migrate data from an older QRadar Console to a new Console that uses the same IP address. All managedhost appliances stay as-is. Use this process for non-HA appliances.
Before you begin
• Write down the network information for the old Console; you must enter this information into thenetwork configuration for the new appliance. Ensure that the old Console and the new Console are inthe same network.
• Save a recent configuration backup from the old Console. The configuration backup is used to restoresettings, users, rules, log sources, and more to the new Console.
• Complete a QRadar installation on the new Console by using the software version that matches that ofthe old Console. The installation of the new Console uses a temporary IP address until the old hardwareis removed from the deployment.
• If you are using WinCollect, ensure that the WinCollect version on the new Console matches the versionon the old Console before you migrate.
About this task
It is not necessary to remove managed hosts from the old QRadar Console because the new QRadarConsole takes over any existing hosts in the deployment. This procedure allows managed hosts in thedeployment to continue to receive events while the Console is offline.
Procedure
1. Prepare your new hardware:a) Rack the appliance and connect network connections.b) Power® on the appliance and log in as root.c) When the system displays the license agreement (EULA), press Ctrl+C to open a command prompt.d) To view the installed software version, type the following command:
/opt/qradar/bin/myver
e) Compare the software version on the new hardware and the old hardware:
• If the new hardware's software version is older than the software that is running in production,log out, and then log in again as root and complete the installation. After the installationcompletes, download the correct Fix Pack to upgrade the Console to the same version as thedeployment.
• If the new hardware's software version is newer than the software that is running in production,you can either choose to upgrade your production system to match the new appliance, ordowngrade the software by installing an older release of QRadar from Fix Central (www.ibm.com/support/fixcentral/). Reinstall the new system with an older release first, and then begin thisprocedure.
• If the new hardware's software version is the same as the software that is running in production,log out, log in again as root, and complete the installation.
f) Configure QRadar.g) Type a temporary IP address and network information for the new hardware.h) Type a root password for the appliance.i) Follow the installation wizard to complete the installation.j) If required from Step 1e, upgrade the new hardware to the same version level as the old Console.
8 IBM Security QRadar : QRadar Hardware Guide
2. Prepare your old QRadar hardware:a) Log in to the old Console.b) Click the Admin tab, and then click the Backup and Recovery icon.c) From the navigation menu, click On Demand Backup.
Important: Configuration backups can only be restored to the same version of QRadar that theywere created with. If you plan to change the overall QRadar version in the deployment, you mustcreate a new configuration backup after any software change and keep these files in a safe placefor your hardware migration. Moving from a smaller Console to a larger or newer appliance issupported by the migration or backup process. For example, a 3105 Console's configurationbackup can be applied to a 3128 or a 3148 appliance.
d) Type a name and description for the new configuration backup.e) Click Run Backup and wait for the configuration backup to complete.f) After the backup finishes, click the new configuration backup name that you created to download
the file.g) Copy the configuration backup from the old QRadar Console to a safe location.
A configuration backup file is created for the new Console to use. This file is required later on in theprocedure to restore users, rules, log sources, offenses, reports, admin configurations, and othersystem settings to the new hardware.
3. Stop services on the old Console by typing the following commands:
systemctl stop hostcontextsystemctl stop tomcatsystemctl stop hostservices
4. Reassign IP addresses on the old QRadar Console.
This process is done manually by adjusting the network configuration file directly, instead of using theqchange_netsetup command. You can use this method to change the system's physical IP addressto avoid conflicts. If the backup restore does not complete on the new system, you can easily revert tothe old address. After the IP address is changed on the existing console, it cannot affect any changesto the other hosts in the deployment unless the IP address is reverted.
Note: Complete this task by using IMM or a physical keyboard to prevent connection and lockoutissues. If you're used to editing network configuration files in Linux, you can use SSH and the screencommand. Using a direct SSH session with systemctl restart network results in the loss ofnetwork connectivity and causes issues with the address change and service restart.
a) Use IMM for remote access, or the local Console keyboard to log in to the command line of the oldappliance as the root user.
b) Verify which network interface is the management interface by typing the following command:
cat /etc/management_interface
The interface that is listed in this file is the QRadar management interface.c) Change the directory to /etc/sysconfig/network-scripts/.d) Open the ifcfg-<name> file that was listed in the /etc/management_interface file.e) Change the IP address to an unused or decommissioned range by editing the IPADDR= line.f) Save the changes to the file.g) Restart networking by typing the following command:
systemctl restart network
Note: After the network services are restarted, the IP address switch and the IP address changeare completed, freeing up the old IP address to use on the new Console. If any QRadar processeson the system result in errors, QRadar operates normally if you switch the IP address back later.Don't unrack the old hardware until after you transfer the data onto the new appliance.
Chapter 3. QRadar SIEM hardware migration scenarios 9
5. Set IP addresses on the new QRadar Console:a) Use IMM for remote access or the local Console keyboard to log in to the command line of the new
appliance as the root user.b) Change the IP address by typing the following command:
/opt/qradar/bin/qchange_netsetup
c) Use the Configuration Wizard to change the IP address of the system to the old Console's IPaddress.
d) Save and exit the wizard to complete the address change.The new Console is installed with the old Console's IP address.
6. Copy certificates and custom-generated key pairs from the old appliance to the new appliance toensure that log sources and scanners can connect to remote sources. You must also migrate anycustom-generated private keys that you have by transferring the /etc/ssh and /root/.sshdirectories.a) Log in to the old QRadar Console as the root user.b) Copy the data from the old hardware to the new appliance by using the rsync as in the following
examples:
Tip: For better performance when using a crossover cable solution, use rsync -av instead of rsync -avz.
Use this example for certificates:
Example: rsync -avz /opt/qradar/conf/trusted_certificates/ root@new_appliance:/opt/qradar/conf/trusted_certificates/
Use these examples for SSH:
Example 1: rsync -avz /etc/ssh/ root@new_appliance:/etc/ssh
Example 2: rsync -avz /root/.ssh/ root@new_appliance:/root/.ssh
c) Wait for the transfer to complete.d) If you are using custom SSL certificates, follow these steps:
1) Copy the certificate or intermediate certificate from the old Console's /etc/httpd/conf/certs directory.
2) Install the SSL certificate that you copied on the new Console by using /opt/qradar/bin/install-ssl-cert.sh –I and follow the instructions.
The wizard prompts you for a private key. You might have to copy the private key to the server ifit is not stored in the /etc/httpd/conf/certs/ directory. It is usually a best practice not tostore the private key on the server itself.
The required certificate and ssh key files are transferred to the new Console. You can now migrateevent and flow data from the old Console to the new Console.
7. Restore the backup configuration to the new QRadar Console appliance:a) Using SCP, copy the configuration backup file that you downloaded previously to the /store/backupHost/inbound/ directory on the new Console.
b) Log in to the new QRadar Console as an administrator.c) Click the Admin tab and select the Backup and Recovery icon.d) Select the configuration backup that you copied to the Console and click Restore.e) In the restore options list, check Select All Configuration Items and Select All Data Items.f) Click Restore to start the configuration restore process.
10 IBM Security QRadar : QRadar Hardware Guide
Note: The restore process might take a while to complete.g) After the restore process is complete, log in to QRadar.h) From the Admin tab, click Advanced > Deploy Full Configuration.
i) Verify that event or flow sources that reported to the original host are now processed in QRadar.After the host is added back to the QRadar deployment, the deployment process ensures that therequired configuration is regenerated on the new appliance. Verify that log source data is pulled andthat flow data is received by the new Console. Any log sources that are not collecting data mightrequire certificates to be moved to the new host.
When the configuration is finished restoring on the new console, you might receive an error thatindicates that the console license keys expired. You can add the new licenses to resolve this error.
8. Transfer any event and flow data to the new hardware.
The data transfer can be a lengthy process. You can use cross-over cables to quicken the transfer ofevent and flow information if your appliances are located in the same data center. Data is moved inone month intervals to keep the performance impact at a minimum. The syncAriel.sh utility doesnot move certificates or configurations, only data that is stored in the /store/ariel/ directory. SSHtraffic must be allowed to migrate the data. You might be required to accept SSH keys and provide theroot password for the target server to start the transfer.
a) Download syncAriel.sh from step 7 in this technote (http://www-01.ibm.com/support/docview.wss?uid=swg21984607).
b) Log in to the old QRadar Console as the root user.c) Using SCP, copy the syncAriel.sh utility to the old Console.d) Navigate to the directory with the syncAriel.sh utility and type the following command:
chmod +x syncAriel.sh
e) Type the following command:
screen
Note: For data transfers, start a screen session to reestablish the connection in case of a minornetwork outage. To detach the session so that you can log out, type Ctrl+A and press D or use Ctrl+D, then type Ctrl+D and use screen -r to reattach to the screen session.
f) Run the utility by typing the following command:
sh syncAriel.sh -i <new_Console's_IPAddress>
g) Wait for the transfer to complete, then close the screen session.Data is migrated from the /store/ariel directory of the old Console to the new Console.If your connection dropped or a network outage occurred, you can run the syncAriel.sh utility againto migrate data. The syncAriel.sh utility keeps track of files that have been rsync'd to the newappliance and data that has already been transferred will not be copied a second time.
9. Optional: Copy over event collector data, if you have any data in /store/ec.a) Log into the old appliance as the root user.b) Stop ecs-ec-ingress on the old appliance by typing the following command:
systemctl stop ecs-ec-ingress
c) Log into the new appliance as the root user.d) Create a file on the new appliance to prevent ecs-ec-ingress from automatically restarting by typing
the following command:
touch /storetmp/ecs-ec-ingress.ecs-ec-ingress.manually_stopped
e) Stop ecs-ec-ingress on the new appliance by typing the following command:
Chapter 3. QRadar SIEM hardware migration scenarios 11
systemctl stop ecs-ec-ingress
f) Copy the data from /store/ec on the old appliance to /store/ec on the new appliance.g) Remove the file created in substep d from the new appliance by typing the following command:
rm -f /storetmp/ecs-ec-ingress.ecs-ec-ingress.manually_stopped
h) Start ecs-ec-ingress on the new appliance by typing the following command:
systemctl start ecs-ec-ingress
ResultsAfter the data transfer is complete, you might want to keep the old Console on hand in case you need torevert to the old appliance. Otherwise, after a week or two, you won't need the old Console and you candecommission or repurpose it for other uses.
Replacing a QRadar Console with an appliance that uses a new IP addressMigrate data from an older QRadar Console to a new Console appliance that uses a new IP address. Allmanaged host appliances stay as-is. Use this process for non-HA appliances.
Before you beginYou must complete a QRadar installation on the new Console with a matching software version to the oldConsole.
About this task
You don't have to remove managed hosts from the old QRadar Console because the new QRadar Consoletakes over any existing hosts in the deployment. This procedure allows managed hosts in the deploymentto continue to receive events while the Console is offline.
Procedure
1. Prepare your new hardware:a) Rack the appliance and connect network connections.b) Review the paperwork for your appliance to determine which QRadar version is installed on the
new hardware.2. Review your software version.
a) If your Console software version is older than the software on the appliance, re-install theappliance with the newest ISO that is less than or equal to the Console software version. Downloadthe ISO file from Fix Central (www.ibm.com/support/fixcentral/).
b) Follow the installation wizard to complete the installation.c) Type a root password for the appliance.d) Type a new IP address and network information for the new hardware.e) Log in as a root user and select the appliance type during the installation process.
f) If your Console patch version is newer than the software on the appliance, download and install theSFS (software fix/patch) from Fix Central (www.ibm.com/support/fixcentral/).
3. Prepare your old QRadar hardware.a) Log in to the old Console.b) Click the Admin tab, and then click the Backup and Recovery icon.c) From the navigation menu, click On Demand Backup.
12 IBM Security QRadar : QRadar Hardware Guide
Important: Configuration-only backups can be restored to the same version of QRadar that theywere created with. If you plan to change the overall QRadar version in the deployment, you mustcreate a new configuration backup after any software changes and keep these files in a safe placefor your hardware migration. Moving from a smaller Console to a larger or newer appliance issupported. For example, a 3105 Console's configuration backup can be applied to a 3128 or a 3148appliance.
d) Type a name and description for the new configuration backup.e) Click Run Backup and wait for the configuration backup to complete.f) After the backup finishes, click the new configuration backup name that you created to download
the file.g) Copy the configuration backup from the old QRadar Console to a safe location.
A configuration backup file is created for the new Console to use. This file is required later on in theprocedure to restore users, rules, log sources, offenses, reports, admin configurations, and othersystem settings to the new hardware.
4. Copy certificates and custom-generated key pairs from the old appliance to the new appliance toensure that log sources and scanners can connect to remote sources.
You must also migrate any custom generated private keys that you have by transferring the /etc/sshand /root/.ssh directories.
a) Log in to the QRadar old managed host as the root user.b) Copy the data from the old hardware to the new appliance by using the rsync command as in the
following examples:
Tip: For better performance when using a crossover cable solution, use rsync -av instead of rsync -avz.
Use this example for certificates:
Example: rsync -avz /opt/qradar/conf/trusted_certificates/ root@targetserver:/opt/qradar/conf/trusted_certificates/
Use these examples for SSH:
Example 1: rsync -avz /etc/ssh/ root@targetserver:/etc/.ssh
Example 2: rsync -avz /root/.ssh/ root@targetserver:/root
c) Wait for the transfer to complete.d) If you use custom SSL certificates, do the following steps:
1) Copy the certificate or intermediate certificate from the old Console's /etc/httpd/conf/certs directory.
2) On the new Console, install the SSL certificate by using /opt/qradr/bin/install_ssl_cert.sh -i and follow the on-screen instructions.
The required certificate and ssh key files are transferred to the managed host. You can now migrateevent and flow data from the old appliance to the new hardware.
5. Restore the backup configuration to the new QRadar Console appliance.a) Using SCP, copy the configuration backup file that you downloaded previously to /store/backuphost/inbound/ on the new Console.
b) Using SSH, log in to the old QRadar Console as the root user.c) To stop IPtables on all hosts, type the following command:
/opt/qradar/support/all_servers.sh "systemctl stop iptables"
Chapter 3. QRadar SIEM hardware migration scenarios 13
d) Log in to the new QRadar Console as an administrator.e) Click the Admin tab, and then click the Backup and Recovery icon.f) Select the configuration backup that you copied to the Console and click Restore.g) In the restore options list, click Select All Configuration Items.h) In the restore options list, click Select All Data Items.i) Click Restore to start the configuration restore process.j) After the restore process finishes, click the Admin tab.
k) Select Advanced > Deploy Full Configuration.l) Wait for the deployed changes to complete.
m) To start IPtables on all hosts, type the following command:
/opt/qradar/support/all_servers.sh "systemctl start iptables"
n) Verify that event or flow sources that were reporting to the original host are being processed in theQRadar user interface.
After the host is added back to the QRadar deployment, the deployment process ensures that therequired configuration is regenerated on the new appliance. Verify that log source data is being pulledand that flow data is being received by the new hardware. Any log sources that are not collecting datamight require certificates to be moved to the new host.
6. Transfer event and flow data to the new hardware.
You can use either rsync or SCP to complete the data transfer. These commands might require theroot user to accept SSH keys and provide the root password for the target server. The length of thisprocess depends on how much data needs to be transferred.
a) Log in to the old QRadar Console as the root user.b) Copy the data from the old hardware to the new appliance (targetserver) by using the rsync
command, as in the following example:
Tip: For better performance when using a crossover cable solution, use rsync -av instead of rsync -avz.
Example: rsync -avz /store/ariel/ root@new_appliance:/store/ariel
7. Optional: Copy over event collector data, if you have any data in /store/ec.a) Log into the old appliance as the root user.b) Stop ecs-ec-ingress on the old appliance by typing the following command:
systemctl stop ecs-ec-ingress
c) Log into the new appliance as the root user.d) Create a file on the new appliance to prevent ecs-ec-ingress from automatically restarting by typing
the following command:
touch /storetmp/ecs-ec-ingress.ecs-ec-ingress.manually_stopped
e) Stop ecs-ec-ingress on the new appliance by typing the following command:
systemctl stop ecs-ec-ingress
f) Copy the data from /store/ec on the old appliance to /store/ec on the new appliance.g) Remove the file created in substep d from the new appliance by typing the following command:
rm -f /storetmp/ecs-ec-ingress.ecs-ec-ingress.manually_stopped
h) Start ecs-ec-ingress on the new appliance by typing the following command:
14 IBM Security QRadar : QRadar Hardware Guide
systemctl start ecs-ec-ingress
What to do nextAfter the data transfer is complete, you might want to keep the old Console on hand in case you need torevert to the old appliance. Otherwise, after a week or two, the old Console is no longer required and canbe decommissioned or repurposed for other uses.
To verify that your migration is successful, log in as an administrator, click the Log Activity tab andperform a search to see whether events are flowing. Then click the Network Activity tab and perform asearch to see whether flows are being processed.
Chapter 3. QRadar SIEM hardware migration scenarios 15
16 IBM Security QRadar : QRadar Hardware Guide
Chapter 4. QRadar M5 appliance overviewReview information about IBM QRadar to understand hardware and license requirements.
Review this overview of QRadar appliances, including capabilities, and license limitations.
QRadar xx05Use the IBM QRadar xx05 (MTM 4412-Q1E) appliance for various appliance types in your deployment.
Use the QRadar xx05 for the following appliance types:
• QRadar Event Processor 1605• QRadar Flow Processor 1705• QRadar 1805 Event and Flow Processor• QRadar 3105 (All-in-One)• QRadar 3105 (Console)• QRadar Log Manager 1605• QRadar Log Manager 3105 (All-in-One)• QRadar Log Manager 3105 Console• QRadar Risk Manager• QRadar Vulnerability Manager• QRadar 1400 Data Node
View hardware information and requirements for the QRadar xx05 in the following table:
Table 1. QRadar xx05 overview
Description Value
Maximum capacity QRadar Event Processor 1605: 20,000 EPS
QRadar Flow Processor 1705: 1,200,000 FPM
QRadar 1805 Event and Flow Processor: 5000 EPS, 200,000 FPM
QRadar 3105 (All-in-One): 5000 EPS, 200,000 FPM
Interfaces 2 x 8 Gbps Fiber Channel HBA ports
4 x 10/100/1000 Base T Ethernet interfaces
1 x 10/100/1000 Base-T integrated management module interface
2 x 10 Gbps SFP + Ethernet ports
Memory 64 GB 2400 MHz DDR4 RDIMM
Storage 10 x 2.5 inch 1 TB 7.2 K rpm NL SAS, 8 TB total (RAID 6), 5.6 TB available to storeevent and flow data
Power supply Dual redundant 750W AC power supply
Dimensions 28.9 inches deep x 17.1 inches wide x 1.7 inches high
© Copyright IBM Corp. 2014, 2019 17
Table 1. QRadar xx05 overview (continued)
Description Value
Includedcomponents
Event Collector
Event Processor for processing events
Internal storage for events
QRadar Data Node appliance
Figure 1. QRadar xx05
Table 2. Legend for use with the QRadar xx05 image
Label Description
1 Event data storage
2 IMM port (1GbE TX)
3 Management ports (1 GbE TX)
4 Fibre channel ports (8 Gb SFP+)
5 Management ports (10 GbE SFP+)
For internal flow sources over 50 K flows per minute (FPM), the All-in-One requires external QRadarQFlow Collectors for layer 7 network activity monitoring.
You can upgrade your license to migrate your QRadar Log Manager 3105 (All-in-One) to QRadar 3105(All-in-One). For more information, see the Migrating QRadar Log Manager to QRadar SIEM TechnicalNote.
For battery removal steps, see Removing the coin-cell battery (http://publib.boulder.ibm.com/infocenter/systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8871.doc/t_removing_system_battery.html).
“QRadar xx05” on page 17 is based on the Lenovo System x3550 M5.
For more information about the front panel, see Front view (http://publib.boulder.ibm.com/infocenter/systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8869.doc/c_front_view.html).
For more information about the back panel, see Rear view (http://publib.boulder.ibm.com/infocenter/systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8869.doc/c_rear_view.html).
18 IBM Security QRadar : QRadar Hardware Guide
QRadar xx29Use the IBM QRadar xx29 (MTM 4412-Q2A) for various appliance types in your deployment.
The QRadar xx29 can be used for the following appliances:
• QRadar Event Processor 1629• QRadar Flow Processor 1729• QRadar Event and Flow Processor 1829• QRadar 3129 (All-in-One)• QRadar 3129 (Console)• QRadar Log Manager 1629• QRadar Log Manager 3129 (All-in-One)• QRadar Log Manager 3129 (Console)• QRadar 1400 Data Node
View hardware information and requirements for the QRadar xx29 in the following table:
Table 3. QRadar xx29
Description Value
Maximum capacity QRadar Event Processor 1629: 40,000 EPS
QRadar Flow Processor 1729: 2,400,000 FPM
QRadar Event and Flow Processor 1829: : 15,000 EPS, 300,000 FPM
QRadar 3129 (All-in-One): 15,000 EPS, 300,000 FPM
Interfaces 2 x 8 Gbps Fiber Channel HBA ports
4 x 10/100/1000 Base-T Ethernet interfaces
1 x 10/100/1000 Base-T integrated management module interface
2 x 10 Gbps SFP + Ethernet ports
Memory 128 GB, 8 x 16 GB 2400 MHz DDR4 RDIMM
Storage 12 x 3.5 inch 6 TB SAS 7.2 K rpm, 60 TB total (RAID6)
3129: 48 TB available to store event and flow data.
All other xx29 appliances: 58 TB available to store event and flow data.
Power supply Dual Redundant 900 W AC
Dimensions 31.5 inches deep x 17.5 inches wide x 3.4 inches high
Includedcomponents
Event Collector
Event Processor for processing events and flows
Internal storage for events and flows
QRadar Data Node appliance
Chapter 4. QRadar M5 appliance overview 19
Figure 2. QRadar xx29
Table 4. Legend for use with the QRadar xx29 image
Label Description
1 Event data storage
2 IMM port (1GbE TX)
3 Management ports (10 GbE SFP+)
4 Fibre channel ports (8 Gb SFP+)
5 Management ports (1 GbE TX)
For internal flow sources over 50 K flows per minute (FPM), the All-in-One requires external QRadarQFlow Collectors for layer 7 network activity monitoring.
For battery removal steps, see Removing the coin-cell battery (also called CMOS battery) (http://publib.boulder.ibm.com/infocenter/systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8871.doc/t_removing_system_battery.html).
For more information about the front panel, see Front view (http://publib.boulder.ibm.com/infocenter/systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8871.doc/c_front_view.html).
For more information about the back panel, see Rear view (http://publib.boulder.ibm.com/infocenter/systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8871.doc/c_rear_view.html).
For more information, you can also see System x3650 M5 (https://lenovopress.com/lp0068-lenovo-system-x3650-m5-machine-type-8871.html).
QRadar xx29-CUse the IBM QRadar xx29-C (MTM 4654-Q3A) for various appliance types in your deployment.
The QRadar xx29-C can be used for the following appliances:
• QRadar Event Processor 1629• QRadar Flow Processor 1729• QRadar Event and Flow Processor 1829• QRadar 3129 (All-in-One)• QRadar 3129 (Console)• QRadar Log Manager 1629
20 IBM Security QRadar : QRadar Hardware Guide
• QRadar Log Manager 3129 (All-in-One)• QRadar Log Manager 3129 (Console)• QRadar 1400 Data Node
View hardware information and requirements for the QRadar xx29-C in the following table:
Table 5. QRadar xx29-C
Description Value
Physical dimensions 29.0 inches deep x 17.1 inches wide x 3.4 inches high
Unit weight 73 lbs
CPU 2 x Xeon Gold 5118 12C 2.3 GHz 16 MB Cache 3.20 GHz 105 W
Memory 128 GB, 8 x 16 GB 1866 MHz RDIMM
Storage / Hard disks 12 x 8 TB 7.2K 12 Gbps 512e 3.5” NLSAS, 80 TB total (RAID6) 68 TB available tostore event and flow data.
Network interfaces 2 x 16 Gbps Fiber Channel HBA ports
4 x 10/100/1000 Base-T Ethernet management interfaces
1 x 10/100/1000 Base-T integrated management module interface
2 x 10 Gbps SFP+ Ethernet management interfaces
Networkmanagementtransceivers
2 x 10 Gb Short Range SFP+ management ports, Avago AFBR-709SMZ-IB8 orFinisar FTLX8571D3BCL-BN or BNT BN-CKM-SP-SR
2 x 16 Gb Fiber Channel SFP+ Installed in Emulex Card
Power supply Dual redundant 1100 W AC
Maximum capacity QRadar 3129 (All-in-One): 15,000 EPS, 300,000 FPM
Picture: © 2018 Dell Inc. or its subsidiaries. All Rights Reserved
Figure 3. QRadar xx29-C
Table 6. Legend for use with the QRadar xx29-C image
Label Description
1 Event data storage
Chapter 4. QRadar M5 appliance overview 21
Table 6. Legend for use with the QRadar xx29-C image (continued)
Label Description
2 IMM port (1 GbE TX)
3 Management ports (10 GbE SFP+)
4 Management ports (1 GbE TX)
5 Fibre channel ports (16 Gb SFP+)
For internal flow sources over 50 K flows per minute (FPM), the All-in-One requires external QRadarQFlow Collectors for layer 7 network activity monitoring.
QRadar xx48The IBM QRadar xx48 (MTM 4412-Q3B) captures logs from sources that generate a large amount oftraffic without a need for load balancing.
The QRadar xx48 appliance handles the higher levels of performance that are required by enterprise classclients. For example, companies can use the QRadar xx48 for the following requirements:
• A company wants faster processing to search and analyze a large amount of data.• A company wants to reduce the footprint of an IBM QRadar deployment, so they install QRadar xx48
appliances to reduce rack space.
The following appliances are examples of appliance types that you can use the QRadar xx48 for:
• QRadar Event Processor 1648• QRadar Flow Processor 1748• QRadar Event and Flow Processor 1848• QRadar 3148 (All-in-One)• QRadar 3148 (Console)• QRadar 1400 Data Node
View hardware information and requirements for the QRadar xx48 in the following table:
Table 7. QRadar xx48 overview
Description Value
Maximum capacity QRadar Event Processor 1648: 80,000 EPS
QRadar Flow Processor 1748: 3,600,000 FPM
QRadar Event and Flow Processor 1848: 30,000 EPS, 1,200,000 FPM
QRadar 3148 (All-in-One): 30,000 EPS, 1,200,000 FPM
Interfaces 1 x 2-port Emulex 8 Gb FC
4 x 10/100/1000 Base-T Ethernet interfaces
1 x 10/100/1000 Base-T QRadar management interface
1 x 10/100/1000 Base-T-integrated remote system management interface
2 x 10 Gbps SFP + ports
Memory 128 GB, 2133 MHz DDR4 RDIMM
Storage 6x 3.8 TB SSD
22 IBM Security QRadar : QRadar Hardware Guide
Table 7. QRadar xx48 overview (continued)
Description Value
Power supply Dual redundant 900 W AC
Dimensions 31.5 inches deep x 17.5 inches wide (19 inches with EIA) x 3.4 inches high
Figure 4. QRadar xx48
Table 8. Legend for use with the QRadar xx48 image
Label Description
1 Event data storage
2 IMM port (1GbE TX)
3 Management ports (10 GbE SFP+)
4 Fibre channel ports (8 Gb SFP+)
5 Management ports (1 GbE TX)
For internal flow sources over 50 K flows per minute (FPM), the All-in-One requires external QRadarQFlow Collectors for layer 7 network activity monitoring.
For battery removal steps, see Removing the coin-cell battery (also called CMOS battery) (http://www-01.ibm.com/support/knowledgecenter/api/redirect/systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8871.doc/t_removing_system_battery.html).
For more information about the front panel, see Front view (http://www-01.ibm.com/support/knowledgecenter/api/redirect/systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8871.doc/c_front_view.html).
For more information about the back panel, see Rear view (http://www-01.ibm.com/support/knowledgecenter/api/redirect/systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8871.doc/c_rear_view.html).
For more information, you can also see System x3650 M5 (https://lenovopress.com/lp0068-lenovo-system-x3650-m5-machine-type-8871.html).
Chapter 4. QRadar M5 appliance overview 23
QRadar xx48-CThe IBM QRadar xx48-C (MTM 4654-Q4B) captures logs from sources that generate a large amount oftraffic without a need for load balancing.
The QRadar xx48-C appliance handles the higher levels of performance that are required by enterpriseclass clients. For example, companies can use the QRadar xx48-C for the following requirements:
• A company wants faster processing to search and analyze a large amount of data.• A company wants to reduce the footprint of an IBM QRadar deployment, so they install QRadar xx48-C
appliances to reduce rack space.
The following appliances are examples of appliance types that you can use the QRadar xx48-C for:
• QRadar Event Processor 1648• QRadar Flow Processor 1748• QRadar Event and Flow Processor 1848• QRadar 3148 (All-in-One)• QRadar 3148 (Console)• QRadar 1400 Data Node
View hardware information and requirements for the QRadar xx48-C in the following table.
Table 9. QRadar xx48-C overview
Description Value
Physical dimensions 31.3 inches deep x 17.1 inches wide x 1.7 inches high
Unit weight 48.5 lbs
CPU 2 x Xeon Gold 6132 14C 2.6 GHz 19 MB Cache 3.70 GHz 140 W
Memory 128 GB, 8 x 16 GB 1866 MHz RDIMM
Storage / Hard disks 6 x 3.84 TB 12 Gb SAS 2.5" SSD, 15.36 TB Total (RAID6) 12 TB available to storeevent and flow data.
Network interfaces Intel i350 QP 1 Gb
Intel X710 2P 10 GbE
Emulex 8 Gb FC 2P HBA
Transceivers 2 x 10 Gb Short Range SFP+ management ports, Avago AFBR-709SMZ-IB8 orFinisar FTLX8571D3BCL-BN or BNT BN-CKM-SP-SR
2 x 16 Gb Fiber Channel SFP+ Installed in Emulex Card
Power supply Dual redundant 1100 W AC
Maximum capacity QRadar 3148 (All-in-One): 30,000 EPS, 1,200,000 FPM
24 IBM Security QRadar : QRadar Hardware Guide
Picture: © 2018 Dell Inc. or its subsidiaries. All Rights Reserved
Figure 5. QRadar xx48-C
Table 10. Legend for use with the QRadar xx48-C image
Label Description
1 Event data storage
2 IMM port (1 GbE TX)
3 Management ports (10 GbE SFP+)
4 Management ports (1 GbE TX)
5 Fibre channel ports (16 Gb SFP+)
For internal flow sources over 50 K flows per minute (FPM), the All-in-One requires external QRadarQFlow Collectors for layer 7 network activity monitoring.
QRadar QFlow Collector 1202/1301The IBM QRadar QFlow Collector 1202/1301 (MTM 4412-Q7C) appliance provides high capacity andscalable Layer 7 application data collection for distributed deployments. The QRadar QFlow Collector1202/1301 also supports external flow-based data sources.
This appliance is only available by special order.
View hardware information and requirements for the QRadar QFlow Collector 1202/1301 in the followingtable:
Table 11. QRadar QFlow Collector 1202/1301 overview
Description Value
Interfaces 4 x 1 Gb SFP network capture interfaces, including 4 x SX (LC short range fiber)and 4 x TX (RJ-45 copper) transceivers
Memory 64 GB, 4 x 16 GB truDDR4 2133 MHz Memory
Storage 2 x 240 GB SATA 2.5" SSD, 240 GB Total (RAID1)
Power supply Dual redundant 750 W AC
Dimensions 28.9 inches deep x 17.1 inches wide x 1.7 inches high
Chapter 4. QRadar M5 appliance overview 25
Figure 6. QRadar QFlow Collector 1202/1301
Table 12. Legend for use with the QRadar QFlow Collector 1202/1301 image
Label Description
1 QRadar firmware storage
2 IMM port (1 GbE TX)
3 Management ports (1 GbE TX)
4 Network packet capture (SFP)
5 Management ports (10 GbE SFP+)
For battery removal steps, see Removing the coin-cell battery (also called CMOS battery) (http://www-01.ibm.com/support/knowledgecenter/api/redirect/systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8871.doc/t_removing_system_battery.html)
For more information about the QRadar QFlow Collector 1202/1301 including front and back paneldiagrams, see IBM System X3550 M5 (https://lenovopress.com/lp0067-lenovo-system-x3550-m5-machine-type-8869).
QRadar QFlow Collector 1310The IBM QRadar QFlow Collector 1310 (MTM 4412-Q8C) appliance provides high capacity and scalableLayer 7 application data collection for distributed deployments. The QRadar QFlow Collector 1310 alsosupports external flow-based data sources.
This appliance is only available by special order.
View hardware information and requirements for the QRadar QFlow Collector 1310 in the following table:
Table 13. QRadar QFlow Collector 1310 overview
Description Value
Interfaces 4 x 10 Gb SFP+ network capture interfaces, including 4 x SR (LC short range fiber)and 4 x LR (LC Long range fiber) transceivers
Memory 64 GB, 4 x16 GB truDDR4 2133MHz Memory
Storage 2 x 240 GB SATA 2.5" SSD, 240 GB Total (RAID1)
Power supply Dual redundant 750 W AC
Dimensions 28.9 inches deep x 17.1 inches wide x 1.7 inches high
26 IBM Security QRadar : QRadar Hardware Guide
Figure 7. QRadar QFlow Collector 1310
Table 14. Legend for use with the QRadar QFlow Collector 1310 image
Label Description
1 QRadar Firmware Storage
2 IMM port (1 GbE TX)
3 Management ports (1 GbE TX)
4 Network Packet Capture (SFP/SFP+)
5 Management ports (10 GbE SFP+)
For battery removal steps, see Removing the coin-cell battery (also called CMOS battery) (http://www-01.ibm.com/support/knowledgecenter/api/redirect/systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8871.doc/t_removing_system_battery.html)
For more information about the QRadar QFlow Collector 1310 including front and back panel diagrams,see IBM System X3550 M5 (https://lenovopress.com/lp0067-lenovo-system-x3550-m5-machine-type-8869).
QRadar Event Collector 1501The IBM QRadar Event Collector 1501 (MTM 4412-Q4D) appliance is a dedicated event collector. Bydefault, a dedicated event collector collects and parses event from various log sources and continuouslyforwards these events to an event processor. You can configure the QRadar Event Collector 1501appliance to temporarily store events and only forward the stored events on a schedule. A dedicatedevent collector does not process events and it does not include an on-board event processor.
Tip: You can configure the QRadar Event Collector 1501 appliance to be used as a QRadar QFlowCollector 1201.
View hardware information and requirements for the QRadar Event Collector 1501 in the following table:
Table 15. QRadar Event Collector 1501 specifications
Description Value
Events per second 15,000 EPS
Network traffic 1 Gbps
Interfaces 7 x 10/100/1000 Base-T network monitoring interfaces
Memory 64 GB, 4 x 16 GB truDDR4 2400 MHz LP RDIMM
Chapter 4. QRadar M5 appliance overview 27
Table 15. QRadar Event Collector 1501 specifications (continued)
Description Value
Storage 4 x 600 GB 2.5 inch 10 K rpm 12 Gbps SAS RAID 10 1.2 GB total (RAID 10)
Power supply System x 550 W High Efficiency Platinum AC Power Supply
Dimensions 28.9 inches deep x 17.1 inches wide x 1.7 inches high
Includedcomponents
Event Collector
Figure 8. QRadar Event Collector 1501
Table 16. Legend for use with the QRadar Event Collector 1501 image
Label Description
1 Event data storage
2 IMM port (1GbE TX)
3 Management ports (1 GbE TX)
4 Event capture ports (1 GbE TX)
5 Management ports (10 GbE SFP+)
For more information about the QRadar Event Collector 1501 including front and back panel diagrams,see IBM System X3550 M5 (https://lenovopress.com/lp0067-lenovo-system-x3550-m5-machine-type-8869).
QRadar Network Insights 1901The IBM QRadar Network Insights 1901 (MTM 4412-F4Y) appliance provides detailed analysis of networkflows to extend the threat detection capabilities of IBM QRadar.
With four 1G capture ports on a Napatech card, the QRadar Network Insights 1901 appliance provides thesame capabilities as the QRadar Network Insights 1920 appliance but on a lower-price hardwareplatform that is designed for 1 Gbps network connectivity.
The QRadar Network Insights 1901 appliance has the following hardware specifications:
Table 17. QRadar Network Insights 1901 overview
Hardware Description
Dimensions 28.9 inches deep x 17.1 inches wide x 1.7 inches high
28 IBM Security QRadar : QRadar Hardware Guide
Table 17. QRadar Network Insights 1901 overview (continued)
Hardware Description
Power Dual redundant 750 Watt AC power supply
Storage 2 x 240 GB SATA 2.5" SSD, 240 GB Total (RAID1)
The storage is labeled as [1] in the appliance diagram.
Memory 64 GB (4 x 16 GB DDR4 2400MHz)
Network capturetransceivers
2 x 1 G TX RJ-45 Transceivers (Avago ABCU-5710RZ or ABCU-5740RZ)
2 x 1 G SX LC Transceivers (Avago AFBR-5715PZ)
Use these transceivers with the network packet capture card, labeled as [4] in theappliance diagram.
Networkmanagementtransceivers
2 x 10 G Short Range SFP
The transceivers may have one of the following part numbers:
• Avago AFBR-709SMZ-IB8• Finisar FTLX8571D3BCL-BN• BNT BN-CKM-SP-SR
Use these transceivers with the management ports, labeled as [5] in the appliancediagram.
System performance of QRadar Network Insights appliances varies depending on the exact configurationand tuning of the system components. It is influenced not only by hardware, but also factors such as thesearch, extraction criteria, and the amount of network data. For more information, see Performanceimpacts in the IBM QRadar Network Insights Installation Guide.
Chapter 4. QRadar M5 appliance overview 29
Figure 9. Back panel of the QRadar Network Insights 1901 appliance
Table 18. Legend for use with the QRadar Network Insights 1901 image
Label Description
1 QRadar Firmware Storage
2 IMM Port (1GbE TX)
3 Management ports (1 GbE TX)
4 Network Packet Capture (SFP)
5 Management ports (10 GbE SFP+)
Note: Only the Network Packet Capture card [4] can be used for capturing network packet data.
For battery removal steps, see Removing the coin-cell battery (also called CMOS battery) (http://www-01.ibm.com/support/knowledgecenter/api/redirect/systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8871.doc/t_removing_system_battery.html)
For more information about the QRadar Network Insights 1901, including front and back panel diagrams,see IBM System X3550 M5 (https://lenovopress.com/lp0067-lenovo-system-x3550-m5-machine-type-8869).
30 IBM Security QRadar : QRadar Hardware Guide
QRadar Network Insights 1901-CThe IBM QRadar Network Insights 1901-C (MTM 4654-F6Y) appliance provides detailed analysis ofnetwork flows to extend the threat detection capabilities of IBM QRadar.
With four 1G capture ports on a Napatech card, the QRadar Network Insights 1901-C appliance providesthe same capabilities as the QRadar Network Insights 1920 appliance but on a lower-price hardwareplatform that is designed for 1 Gbps network connectivity.
Table 19. QRadar Network Insights 1901-C overview
Description Value
Physical dimensions 31.1 inches deep x 17.1 inches wide x 1.7 inches high
Unit weight 48.5 lbs
CPU 2 x Xeon Gold 5118 12C 2.3 GHz 16 MB Cache 3.20 GHz 105 W
Memory 64 GB, 4 x 16 GB
Storage / Hard disks 2 x 240 GB SATA 2.5" SSD, 240 GB Total (RAID1)
Network interfaces 4 x 10 Gb SFP+ network capture interfaces, including 4 x SR (LC short range fiber)and 4 x LR (LC Long range fiber) transceivers
4 x 10/100/1000 Base-T Ethernet management interfaces
1 x 10/100/1000 Base-T integrated management module interface
2 x 10 Gbps SFP+ management interfaces
Network CaptureTransceivers
4 x 1 G TX RJ-45 Transceivers (Avago ABCU-5710RZ or ABCU-5740RZ)
4 x 1 G SX LC Transceivers (Avago AFBR-5715PZ)
NetworkManagementTransceivers
2 x 10 G SR LC Transceivers (Avago AFBR-709SMZ-IB8 or FinisarFTLX8571D3BCL-BN or BNT BN-CKM-SP-SR)
Traffic rate 1 Gbps
Power supply Dual redundant 750 W AC
Picture: © 2018 Dell Inc. or its subsidiaries. All Rights Reserved
Figure 10. QRadar Network Insights 1901-C
Chapter 4. QRadar M5 appliance overview 31
Table 20. Legend for use with the QRadar Network Insights 1901-C image
Label Description
1 QRadar firmware storage
2 IMM port (1 GbE TX)
3 Management ports (10 GbE SFP+)
4 Management ports (1 GbE TX)
5 Network packet capture (SFP)
Ports are numbered 0, 1, 2, 3, from left to right.
QRadar Network Insights 1910The IBM QRadar Network Insights 1910 (MTM 4412-F5Y) appliance offers 1 Gbps and 10 Gbpsconnectivity in a smaller, lower-cost appliance for deployments that require 10 Gbps connectivity butdon't require the same level of processing or performance that is found in the more powerful 1920appliance.
Table 21. QRadar Network Insights 1910 overview
Description Value
Physical dimensions 28.9 inches deep x 17.1 inches wide x 1.7 inches high
Unit weight 31 lbs
CPU 1 x E5-2680 v4 2.4 GHz 14C 2.4 GHz 35 MB Cache 2400 MHz 120 W
Memory 64 GB, 4 x 16 GB
Storage / Hard disks 2 x 200 GB SSD SATA G3HS M1215 (RAID1)
Network interfaces Intel X520 2P 10 GbE + x2 10 G SR
NT40E3 4P 40 G + 8 x 10 G SR
3 x 10/100/1000 Base-T network interfaces
1 x 10/100/1000 Base-T QRadar management interface
1 x 10/100 Base-T integrated remote system management interface Included
SFPs:
• Four TX SFP transceivers, two dual-kit IBM PN 51J2259, MTM 5123-A1M, DSWPN: D10E6LL
• Four SX SFP transceivers, two dual-kit IBM PN 51J2260, MTM 5123-A2M, DSWPN: D10E5LL
• Two SR SFP+ transceivers, Lenovo PN 46C3446-5053
Traffic rate 10 Gbps
Power supply Dual redundant 750 W AC
32 IBM Security QRadar : QRadar Hardware Guide
Figure 11. QRadar Network Insights 1910
Table 22. Legend for use with the QRadar Network Insights 1910 image
Label Description
1 QRadar firmware storage
2 IMM port (1 GbE TX)
3 Management ports (1 GbE TX)
4 Network Packet Capture (SFP/SFP+)
5 Management ports (10 GbE SFP+)
QRadar Network Insights 1910-CThe IBM QRadar Network Insights 1910-C (MTM 4654-Q9C) appliance offers 1 Gbps and 10 Gbpsconnectivity in a smaller, lower-cost appliance for deployments that require 10 Gbps connectivity butdon't require the same level of processing or performance that is found in the more powerful 1920appliance.
Table 23. QRadar Network Insights 1910-C overview
Description Value
Physical dimensions 31.3 inches deep x 17.1 inches wide x 1.7 inches high
Unit weight 48.5 lbs
CPU 2 x Xeon Gold 5118 12C 2.3 GHz 16 MB Cache 3.20 GHz 105 W
Memory 64 GB, 4 x 16 GB
Storage / Hard disks 2 x 240 GB SATA 2.5" SSD, 240 GB Total (RAID1)
Network interfaces 4 x 10 Gb SFP+ network capture interfaces, including 4 x SR (LC short range fiber)and 4 x LR (LC Long range fiber) transceivers
4 x 10/100/1000 Base-T Ethernet management interfaces
1 x 10/100/1000 Base-T integrated management module interface
2 x 10 Gbps SFP+ management interfaces
Network CaptureTransceivers
4 x 10 G SR LC Transceivers (Avago AFBR-703SDZ or AFBR-709SMZ)
4 x 10 G LR LC Transceivers (Avago AFCT-739SMZ-IB2)
Chapter 4. QRadar M5 appliance overview 33
Table 23. QRadar Network Insights 1910-C overview (continued)
Description Value
NetworkManagementTransceivers
2 x 10 G SR LC Transceivers (Avago AFBR-709SMZ-IB8 or FinisarFTLX8571D3BCL-BN or BNT BN-CKM-SP-SR)
Traffic rate 10 Gbps
Power supply Dual redundant 750 W AC
Picture: © 2018 Dell Inc. or its subsidiaries. All Rights Reserved
Figure 12. QRadar Network Insights 1910-C
Table 24. Legend for use with the QRadar Network Insights 1910-C image
Label Description
1 QRadar firmware storage
2 IMM port (1 GbE TX)
3 Management ports (10 GbE SFP+)
4 Management ports (1 GbE TX)
5 Network Packet Capture (SFP/SFP+)
Ports are numbered 0, 1, 2, 3, from left to right.
QRadar Network Insights 1920The IBM QRadar Network Insights 1920 (MTM 4412-F3F) appliance provides detailed analysis of networkflows to extend the threat detection capabilities of IBM QRadar.
The appliance has two Napatech cards, each with four ports. By default, the four ports on the firstnetwork capture card are configured for inbound traffic from the network tap. If the appliance is includedin a stack, the ports are reconfigured for 2 inbound and 2 outbound. For more information about cablingstacked appliances, see the IBM QRadar Network Insights Installation Guide.
The second Napatech card is cabled internally for load balancing and cannot not be used. If you use theseports when you cable the appliance, you do not get any data.
The following table shows the hardware information and requirements for the IBM QRadar NetworkInsights 1920 (MTM 4412-F3F) appliance:
34 IBM Security QRadar : QRadar Hardware Guide
Table 25. QRadar Network Insights 1920 overview
Description Value
Dimensions 29.5 inches deep x 17.6 inches wide (19 inches with EIA) x 3.4 inches high
Power Dual redundant 900 Watt AC power supply
Storage 2 x 240 GB SATA 2.5" SSD, 240 GB Total (RAID1)
The storage is labeled as [1] in the appliance diagram.
Memory 128 GB (8 x16 GB DDR4 2400MHz)
Network capturetransceivers
2x 10Gb Short Range Fiber Transceivers (Avago AFBR-703SDZ or AFBR-709SMZ)
2x 1G TX RJ-45 Transceivers (Avago ABCU-5710RZ or ABCU-5740RZ)
2x 1G SX LC Transceivers (Avago AFBR-5715PZ)
Use these transceivers with the network packet capture card, labeled as [2] in theappliance diagram.
Networkmanagementtransceivers
2x 10G Short Range SFP
The transceivers may have one of the following part numbers:
• Avago AFBR-709SMZ-IB8• Finisar FTLX8571D3BCL-BN• BNT BN-CKM-SP-SR
Use these transceivers with the management ports, labeled as [4] in the appliancediagram.
System performance of QRadar Network Insights appliances varies depending on the exact configurationand tuning of the system components. It is influenced not only by hardware, but also factors such as thesearch, extraction criteria, and the amount of network data. For more information, see Performanceimpacts in the IBM QRadar Network Insights Installation Guide.
Chapter 4. QRadar M5 appliance overview 35
Figure 13. Back panel of the QRadar Network Insights 1920 appliance
Table 26. Legend for use with the QRadar Network Insights 1920 image
Label Description
1 QRadar Firmware Storage
2 Network Packet Capture (SFP/SFP+)
3 IMM Port (1GbE TX)
4 Management ports (10 GbE SFP+)
5 Cabled internally. Do not use these ports.
6 Management ports (1 GbE TX)
For battery removal steps, see Removing the coin-cell battery (also called CMOS battery) (http://publib.boulder.ibm.com/infocenter/systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8871.doc/t_removing_system_battery.html)
For more information about the front panel, see Front view (http://publib.boulder.ibm.com/infocenter/systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8871.doc/c_front_view.html).
For more information about the back panel, see Rear view (http://publib.boulder.ibm.com/infocenter/systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8871.doc/c_rear_view.html).
For more information, you can also see System x3650 M5 (https://lenovopress.com/lp0068-lenovo-system-x3650-m5-machine-type-8871.html).
36 IBM Security QRadar : QRadar Hardware Guide
QRadar Network Insights 1920-CThe IBM QRadar Network Insights 1920-C (MTM 4654-F4F) appliance provides detailed analysis ofnetwork flows to extend the threat detection capabilities of IBM QRadar.
The appliance has two Napatech cards, each with four ports. By default, the four ports on the firstnetwork capture card are configured for inbound traffic from the network tap. If the appliance is includedin a stack, the ports are reconfigured for 2 inbound and 2 outbound. For more information about cablingstacked appliances, see the IBM QRadar Network Insights Installation Guide.
The second Napatech card is cabled internally for load balancing and cannot not be used. If you use theseports when you cable the appliance, you do not get any data.
The following table shows the hardware information and requirements for the IBM QRadar NetworkInsights 1920-C (MTM 4654-F4F) appliance.
Table 27. QRadar Network Insights 1920-C
Description Value
Physical dimensions 29.0 inches deep x 17.1 inches wide x 3.4 inches high
Unit weight 73 lbs
CPU 2 x Xeon Gold 6132 14C 2.6 GHz 19 MB Cache 3.70 GHz 140 W
Memory 128 GB, 8 x 16 GB
Storage / Hard disks 2 x 240 GB SATA 2.5" SSD, 240 GB Total (RAID1)
Network interfaces 4 x 10 Gb SFP+ network capture interfaces (Left-Side), including 2 x SR (LC shortrange fiber), 2 x SX (LC short range fiber), and 2 x TX (RJ-45 copper) transceivers
4 x 10/100/1000 Base-T Ethernet management interfaces
1 x 10/100/1000 Base-T integrated management module interface
2 x 10 Gbps SFP+ management interfaces
Network capturetransceivers
2 x 10 Gb Short Range Fiber Transceivers (Avago AFBR-703SDZ orAFBR-709SMZ)
2 x 1 G TX RJ-45 Transceivers (Avago ABCU-5710RZ or ABCU-5740RZ)
2 x 1 G SX LC Transceivers (Avago AFBR-5715PZ)
Use these transceivers with the network packet capture card, labeled as [2] in theappliance diagram.
Networkmanagementtransceivers
2 x 10 G Short Range SFP
The transceivers may have one of the following part numbers:
• Avago AFBR-709SMZ-IB8• Finisar FTLX8571D3BCL-BN• BNT BN-CKM-SP-SR
Use these transceivers with the management ports, labeled as [4] in the appliancediagram.
Traffic rate 10 Gbps
Power supply Dual redundant 750 W AC
Chapter 4. QRadar M5 appliance overview 37
Picture: © 2018 Dell Inc. or its subsidiaries. All Rights Reserved
Figure 14. QRadar Network Insights 1920-C
Table 28. Legend for use with the QRadar Network Insights 1920-C image
Label Description
1 QRadar firmware storage
2 IMM port (1 GbE TX)
3 Management ports (10 GbE SFP+)
4 Management ports (1 GbE TX)
5 Network Packet Capture (SFP/SFP+)
Ports are numbered 3, 2, 1, 0, from left to right.
6 Do not use these ports
QRadar Incident ForensicsUse the IBM QRadar Incident Forensics appliance (MTM 4412-F1A) to retrace the step-by-step actions ofa potential attacker, and quickly and easily conduct an in-depth forensics investigation of suspectedmalicious network security incidents.
View hardware information and requirements for the QRadar Incident Forensics appliance in the followingtable:
Table 29. Incident Forensics appliance specifications
Description Value
Interfaces 3 x 10/100/1000 Base-T network interfaces
1 x 10/100/1000 Base-T QRadar management interface
1 x 10/100/1000 Base-T integrated remote system management interface
Memory 128 GB, 8 x16 GB truDDR4 2400MHz LP RDIMM
Storage 12 x 3.5 inch 6 TB SAS 7.2 K rpm, 60 TB total (RAID6)
Power supply System x 900W High Efficiency Platinum AC Power Supply
38 IBM Security QRadar : QRadar Hardware Guide
Table 29. Incident Forensics appliance specifications (continued)
Description Value
Dimensions 31.5 inches deep x 17.5 inches wide x 3.4 inches high
Figure 15. QRadar Incident Forensics
Table 30. Legend for use with the QRadar Incident Forensics image
Label Description
1 Event data storage
2 IMM port (1 GbE TX)
3 Management ports (10 GbE SFP+)
4 Management ports (1 GbE TX)
For more information about the front panel, see Front view (http://publib.boulder.ibm.com/infocenter/systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8871.doc/c_front_view.html).
For more information about the back panel, see Rear view (http://publib.boulder.ibm.com/infocenter/systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8871.doc/c_rear_view.html).
For more information, you can also see System x3650 M5 (https://lenovopress.com/lp0068-lenovo-system-x3650-m5-machine-type-8871.html).
QRadar Incident Forensics-CUse the IBM QRadar Incident Forensics-C appliance (MTM 4654-F2A) to retrace the step-by-step actionsof a potential attacker, and quickly and easily conduct an in-depth forensics investigation of suspectedmalicious network security incidents.
View hardware information and requirements for the QRadar Incident Forensics-C appliance in thefollowing table:
Table 31. IQRadar Incident Forensics-C appliance specifications
Description Value
Physical dimensions 29.0 inches deep x 17.1 inches wide x 3.4 inches high
Unit weight 73 lbs
Chapter 4. QRadar M5 appliance overview 39
Table 31. IQRadar Incident Forensics-C appliance specifications (continued)
Description Value
CPU R640 XL, 2 x Xeon Gold 5118, 2.3 GHz 16 MB Cache 3.20 GHz 105 W
Memory 128 GB, 8 x 16 GB
Storage / Hard disks 12 x 8 TB 7.2 K 12 Gbps 512e 3.5” NLSAS, 80 TB total (RAID6)
Network interfaces 4 x 10/100/1000 Base-T Ethernet management interfaces
1 x 10/100/1000 Base-T integrated management module interface
2 x 10 Gbps SFP+ Ethernet management interfaces
NIC Inserts 2 x 10 Gb Short Range SFP for x710
Power supply Dual redundant 1100 W AC
Picture: © 2018 Dell Inc. or its subsidiaries. All Rights Reserved
Figure 16. QRadar Incident Forensics-C
Table 32. Legend for use with the QRadar Incident Forensics-C image
Label Description
1 Event data storage
2 IMM port (1 GbE TX)
3 Management ports (10 GbE SFP+)
4 Management ports (1 GbE TX)
QRadar Network Packet CaptureIBM QRadar Network Packet Capture (MTM 4412-F2C) offers an optional IBM QRadar Packet Captureappliance to store and manage data that is used by QRadar Incident Forensics when no other networkpacket capture (PCAP) device is deployed. Any number of these appliances can be installed as a tap on anetwork or sub-network to collect the raw packet data.
View hardware information and requirements for QRadar Network Packet Capture in the following table:
40 IBM Security QRadar : QRadar Hardware Guide
Table 33. QRadar Network Packet Capture overview
Description Value
Interfaces 4 x 10 Gb SFP+ network capture interfaces, including 4 x SR (LC short rangefiber), 4 x SX (LC short range fiber), and 4 x TX (RJ-45 copper) transceivers
4 x 10/100/1000 Base-T Ethernet management interfaces
1 x 10/100/1000 Base-T integrated management module interface
2 x 10 Gbps SFP+ management interfaces
2 x Direct Attached Storage (DAS) ports
Memory 128GB (8x 16GB) DDR4 RDIMM
Storage 12 x 3.5 inch 6 TB NLSAS 7.2 K rpm, 60 TB total (RAID6)
2 x 2.5 inch 1TB NLSAS 7.2 K rpm, 1 TB total (RAID1)
Power supply Dual redundant 900 W AC
Dimensions 31.5 inches deep x 17.5 inches wide (19 inches with EIA) x 3.4 inches high
Figure 17. QRadar Network Packet Capture
Table 34. Legend for use with the QRadar Network Packet Capture image
Label Description
1 Event data storage
2 IMM port (1 GbE TX)
3 External RAID DAS ports
4 QRadar firmware storage
5 Management ports (10 GbE SFP+)
6 Management ports (1 GbE TX)
7 Network packet capture (SFP/SFP+)
For battery removal steps, see Removing the coin-cell battery (also called CMOS battery) (http://publib.boulder.ibm.com/infocenter/systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8871.doc/t_removing_system_battery.html)
Chapter 4. QRadar M5 appliance overview 41
For more information about the front panel, see Front view (http://publib.boulder.ibm.com/infocenter/systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8871.doc/c_front_view.html).
For more information about the back panel, see Rear view (http://publib.boulder.ibm.com/infocenter/systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8871.doc/c_rear_view.html).
For more information, you can also see System x3650 M5 (https://lenovopress.com/lp0068-lenovo-system-x3650-m5-machine-type-8871.html).
QRadar Network Packet Capture-CQRadar Network Packet Capture-C (MTM 4654-F3C) offers an optional IBM QRadar Packet Captureappliance to store and manage data that is used by QRadar Incident Forensics when no other networkpacket capture (PCAP) device is deployed. Any number of these appliances can be installed as a tap on anetwork or sub-network to collect the raw packet data.
View hardware information and requirements for QRadar Network Packet Capture-C in the followingtable.
Table 35. QRadar Network Packet Capture-C
Description Value
Physical dimensions 29.0 inches deep x 17.1 inches wide x 3.4 inches high
Unit weight 73 lbs
CPU 2 x Xeon Gold 6132 14C 2.6 GHz 19 MB Cache 3.70 GHz 140 W
Memory 128 GB, 8 x 16 GB
Storage / Hard disks 12 x 8 TB 7.2 K 12 Gbps NLSAS 3.5", 80 TB total (RAID6)
2 x 1 TB 7.2 K 12 Gbps NLSAS 2.5", 1 TB total (RAID1)
Network interfaces 4 x 10 Gb SFP+ network capture interfaces, including 4 x SR (LC short rangefiber), 4 x SX (LC short range fiber), and 4 x TX (RJ-45 copper) transceivers
4 x 10/100/1000 Base-T Ethernet management interfaces
1 x 10/100/1000 Base-T integrated management module interface
2 x 10 Gbps SFP+ management interfaces
2 x Direct Attached Storage (DAS) ports
Transceivers 4 x 10 Gb Short Range SFP+ management ports, Avago AFBR-709SMZ-IB8 orFinisar FTLX8571D3BCL-BN or BNT BN-CKM-SP-SR
4 x 1 G TX RJ-45 Transceivers (Avago ABCU-5710RZ or ABCU-5740RZ)
4 x 1 G SX LC Transceivers (Avago AFBR-5715PZ)
Power supply Dual redundant 1100 W AC
42 IBM Security QRadar : QRadar Hardware Guide
Picture: © 2018 Dell Inc. or its subsidiaries. All Rights Reserved
Figure 18. QRadar Network Packet Capture-C
Table 36. Legend for use with the QRadar Network Packet Capture-C image
Label Description
1 Packet capture storage
2 IMM port (1 GbE TX)
3 Management ports (10 GbE SFP+)
4 Management ports (1 GbE TX)
5 External RAID DAS ports
6 Network packet capture (SFP/SFP+)
7 QRadar firmware storage
Chapter 4. QRadar M5 appliance overview 43
44 IBM Security QRadar : QRadar Hardware Guide
Chapter 5. QRadar M4 appliance overviewReview information about IBM QRadar to understand hardware and license requirements.
Review this overview of QRadar appliances, including capabilities, and license limitations.
QRadar xx05Use the IBM QRadar xx05 (MTM 4380-Q1E) for various appliance types in your deployment.
The QRadar xx05 can be used for the following appliances:
• QRadar Event Processor 1605• QRadar Flow Processor 1705• QRadar 1805• QRadar 3105 (All-in-One)• QRadar 3105 (Console)• QRadar Log Manager 1605• QRadar Log Manager 3105 (All-in-One)• QRadar Log Manager 3105 Console• QRadar 1400 Data Node• QRadar Vulnerability Manager• QRadar Risk Manager
View hardware information and requirements for the QRadar xx05 in the following table:
Table 37. QRadar xx05
Description Value
Maximum capacity QRadar Event Processor 1605 20,000 EPS
QRadar Flow Processor 1705 1,200,000 FPM
QRadar 1805 200,000 FPM, 5,000 EPS
QRadar 3105 (All-in-One) 200,000 FPM, 5,000 EPS
QRadar Vulnerability Manager up to 32,768 assets
Interfaces Two 10/100/1000 Base-T network monitoring interfaces
One 10/100/1000 Base-T QRadar management interface
One 10/100/1000 Base-T integrated management module interface
Two 10 Gbps SFP + ports
Memory 64 GB 8x 8 GB 1600 MHz RDIMM
Storage 9 x 3.5 inch 1 TB 7.2 K rpm NL SAS, 9 TB total, 5.5 TB usable (RAID 6)
QRadar 1400 Data Node 9 x 3.5 inch 1 TB 7.2 K rpm NL SAS, 9 TB total, 6.1TB usable (RAID 6)
Power supply Dual Redundant 750 W AC Power Supply
Dimensions 29.5 inches deep x 17.7 inches wide x 2.4 inches high
© Copyright IBM Corp. 2014, 2019 45
Table 37. QRadar xx05 (continued)
Description Value
Included components Event Collector
Event Processor
Flow Processor
Internal storage for events and flows
QRadar Data Node appliance
QRadar Vulnerability Manager
QRadar Risk Manager
The QRadar 3105 (All-in-One) requires external QRadar QFlow Collectors for layer 7 network activitymonitoring.
For more information about IBM QRadar M4 Consoles, Processors and Data Nodes, including front andback panel diagrams, see IBM System X3650 M4 BD (https://lenovopress.com/tips1102-system-x3650-m4-bd).
QRadar xx28Use the IBM QRadar xx28 (MTM 4380-Q2E) for various appliance types in your deployment.
The QRadar xx28 can be used for the following appliances:
• QRadar Event Processor 1628• QRadar Flow Processor 1728• QRadar Flow Processor 1828• QRadar 3128 (All-in-One)• QRadar 3128 (Console)• QRadar Log Manager 1628• QRadar Log Manager 3128 (All-in-One)• QRadar Log Manager 3128 (Console)• QRadar 1400 Data Node
Note: For QRadar xx28 appliances, you are responsible for acquiring the proper transceivers for yournetwork.
View hardware information and requirements for the QRadar xx28 in the following table:
Table 38. QRadar xx28
Description Value
Maximum capacity QRadar Event Processor 1628 40,000 EPS
QRadar Flow Processor 1728 1,200,000 FPM
QRadar Flow Processor 1828 300,000 FPM, 15,000 EPS
QRadar 3128 (All-in-One) 300,000 FPM, 15,000 EPS
46 IBM Security QRadar : QRadar Hardware Guide
Table 38. QRadar xx28 (continued)
Description Value
Interfaces One 2-port Emulex 8Gbps FC
Two 10/100/1000 Base-T network monitoring interfaces
One 10/100/1000 Base-T QRadar management interface
One 10/100/1000 Base-T integrated management module interface
Two 10 Gbps SFP + ports
QRadar Packet Capture Four 10 GBps SFP + ports
Memory 128 GB, 8 x 16 GB 1866 MHz RDIMM8
Storage 12 x 3.5 inch 4 TB SAS 7.2 K rpm, 48 TB total, 34 TB usable (RAID 6)
QRadar 1400 Data Node 12 x 3.5 inch 4 TB SAS 7.2 K rpm, 48 TB total, 39 TBusable (RAID 6)
Power supply Dual Redundant 900 W AC Power Supply
Dimensions 29.5 inches deep x 17.6 inches wide x 3.4 inches high
Included components Event Collector
Event Processor
Flow Processor
Internal storage for events and flows
QRadar Data Node appliance
The QRadar 3128 (All-in-One) requires external QRadar QFlow Collectors for layer 7 network activitymonitoring.
For more information about IBM QRadar M4 Consoles, Processors and Data Nodes, including front andback panel diagrams, see IBM System X3650 M4 BD (https://lenovopress.com/tips1102-system-x3650-m4-bd).
QRadar xx28-CUse the IBM QRadar xx28-C (MTM 4380-Q1F) for various appliance types in your deployment.
IBM QRadar xx28-C appliances are manufactured by Dell, and can be used for the following appliances:
• QRadar Event Processor 1628-C• QRadar Flow Processor 1728-C• QRadar Flow Processor 1828-C• QRadar 3128-C (All-in-One)• QRadar 3128-C (Console)• QRadar Log Manager 1628-C• QRadar Log Manager 3128-C (All-in-One)• QRadar Log Manager 3128-C (Console)• QRadar Risk Manager• QRadar Vulnerability Manager• QRadar Incident Forensics
Chapter 5. QRadar M4 appliance overview 47
• QRadar Packet Capture, including QRadar Packet Capture Data Node.• QRadar 1400-C Data Node
QRadar xx28-C appliances are TAA compliant. You can also use the xx28-C appliances for FIPScompliance.
Important: To make an xx28-C appliance FIPS compliant, the QRadar release must be FIPS compliant,and your appliance must have the required physical security. For more information about physicalsecurity, see the IBM Security QRadar Version 7.2.5 FIPS 140-2 Installation Guide. QRadar IncidentForensics and QRadar Packet Capture are not FIPS compliant.
Table 39. QRadar xx28-C
Description Value
Maximum capacity QRadar Event Processor 1628-C 40,000 EPS
QRadar Flow Processor 1728-C 1,200,000 FPM
QRadar Flow Processor 1828-C 300,000 FPM, 15,000 EPS
QRadar 3128-C (All-in-One) 300,000 FPM, 15,000 EPS
Interfaces One 2-port Emulex 8Gbps FC
Three 10/100/1000 Base-T network monitoring interfaces
One 10/100/1000 Base-T QRadar management interface
One 10/100/1000 Base-T integrated remote system management interface
Two 10 Gbps SFP + ports
Memory 128 GB, 8 x16 GB 2133 MT/s DDR4 RDIMM
Storage 12 x 3.5 inch 4 TB SAS 7.2 K rpm, 48 TB total, 34 TB usable (RAID 6)
Power supply Dual redundant 750 W AC
Dimensions 29.5 inches deep x 17.7 inches wide x 2.4 inches high
Included Components Event Collector
Event Processor
Flow Processor
Internal storage for events and flows
QRadar Data Node appliance
The QRadar 3128-C (All-in-One) requires external QRadar QFlow Collectors for layer 7 network activitymonitoring.
48 IBM Security QRadar : QRadar Hardware Guide
Picture: © 2018 Dell Inc. or its subsidiaries. All Rights Reserved
Figure 19. QRadar xx28-C
Table 40. Legend for use with the QRadar xx28-C image
Label Description
1 Event data storage
2 IMM port (1GbE TX)
3 Fibre channel ports (16 Gb TX)
4 Management ports (10 GbE SFP+)
5 Management ports (1 GbE TX)
QRadar 21xxThe IBM QRadar 2100 (MTM 4380-Q1C) appliance is an all-in-one system that combines NetworkBehavioral Anomaly Detection (NBAD) and Security Information and Event Management (SIEM) toaccurately identify and appropriately prioritize threats that occur on your network.
Note: If you are upgrading a QRadar 21xx appliance from V7.2.8 or earlier, larger apps such as Pulse,QDI, or User Behavior Analytics can cause overall performance issues on the Console. Apps can beoffloaded to a App Host to provide extra storage, memory, and CPU resources for your apps withoutimpacting the processing capacity of your Console.
The QRadar 21xx can be used for the following appliances:
• QRadar 2100• QRadar Log Manager 2100
View hardware information and requirements for the QRadar 21xx in the following table:
Table 41. QRadar 21xx overview
Description Value
Maximum capacity 1,000 EPS
50,000 FPM
Chapter 5. QRadar M4 appliance overview 49
Table 41. QRadar 21xx overview (continued)
Description Value
Interfaces Three 10/100/1000 Base-T network monitoring interfaces
One 10/100/1000 Base-T IBM QRadar management interface
One 10/100/1000 Base-T integrated management module interface
Two 10 Gbps SFP + ports
Memory 32 GB, 4 x 8GB 1600 MHz RDIMM
Storage 6 x 2.5 inch 500 GB 7.2K rpm SATA, 3 TB total, 1.5 TB usable (RAID 10)
Power supply Dual Redundant 750 W AC
Dimensions 28.9 inches deep x 16.9 inches wide x 1.7 inches high
Includedcomponents
Event Collector
Event Processor
Single QRadar QFlow Collector
Additional QRadar QFlow Collectors are sold separately.
For more information about QRadar 21xx, including front and back panel diagrams, see IBM SystemX3550 M4 (https://lenovopress.com/tips0851-system-x3550-m4-e5-2600-v2).
QRadar QFlow Collector 1201The IBM QRadar QFlow Collector 1201 (MTM 4380-Q2C) appliance provides high capacity and scalableLayer 7 application data collection for distributed deployments. The QRadar QFlow Collector 1201 alsosupports external flow-based data sources.
View hardware information and requirements for the QRadar QFlow Collector 1201 in the following table:
Table 42. QRadar QFlow Collector 1201
Description Value
Network traffic 1 Gbps
Interfaces Five 10/100/1000 Base-T network monitoring interfaces
Two 10 Gbps SFP + ports
One 10/100/1000 Base-T QRadar management interface
One 10/100/1000 Base-T integrated management module interface
Memory 16 GB, 4 x 4GB 1600 MHz RDIMM
Storage 2 x 2.5 inch 600 GB 10 K rpm SAS, 600 GB total (RAID 1)
Power supply Dual Redundant 550 W AC
Dimensions 28.9 inches deep x 16.9 inches wide x 1.7 inches high
Includedcomponents
QRadar QFlow Collector
For more information about QRadar QFlow Collector appliances, including front and back panel diagrams,see IBM System X3550 M4 (https://lenovopress.com/tips0851-system-x3550-m4-e5-2600-v2).
50 IBM Security QRadar : QRadar Hardware Guide
QRadar QFlow Collector 1202The IBM QRadar QFlow Collector 1202 (MTM 4380-Q3C) appliance provides high capacity and scalableLayer 7 application data collection for distributed deployments. The QRadar QFlow Collector 1202 alsosupports external flow-based data sources.
View hardware information and requirements for the QRadar QFlow Collector 1202 in the following table:
Table 43. QRadar QFlow Collector 1202
Description Value
Network traffic 3 Gbps
Interfaces Napatech Network Adapter, providing four 1 Gbps 10/100/1000 Base-T networkinterfaces
Two 10 Gbps SFP + ports
One 10/100/1000 Base-T QRadar management interface
One 10/100/1000 Base-T integrated management module interface
Memory 16 GB, 4 x 4GB 1600 MHz RDIMM
Storage 2 x 2.5 inch 600 GB 10 K rpm SAS, 600 GB total (RAID 1)
Power supply Dual Redundant 550 W AC
Dimensions 28.9 inches deep x 16.9 inches wide x 1.7 inches high
Includedcomponents
QRadar QFlow Collector
NT4E-STD Napatech Network Adaptor
For more information about QRadar QFlow Collector appliances, including front and back panel diagrams,see IBM System X3550 M4 (https://lenovopress.com/tips0851-system-x3550-m4-e5-2600-v2).
QRadar QFlow Collector 1202-C/1301-CThe IBM QRadar Core Appliance QFlow Collector 1202-C and 1301-C (MTM 4380-Q1G) applianceprovides high capacity and scalable Layer 7 application data collection for distributed deployments. TheQRadar QFlow Collector 1202-C/1301-C also supports external flow-based data sources.
View hardware information and requirements for the QRadar QFlow Collector 1202-C/1301-C in thefollowing table:
Table 44. QRadar QFlow Collector 1202-C/1301-C specifications
Description Value
Network traffic 3 Gbps
Interfaces Two 10/100/1000 Base-T network monitoring interfaces
Two 10 Gbps SFP + ports
One 10/100/1000 Base-T QRadar management interface
One 10/100/1000 Base-T integrated management module interface
Four 1 Gbps NT4E-STD SFP+ Napatech card. Supported SFP+ 1 Gbps Copper, 1Gbps Short Range Fiber, 1 Gbps Long Range Fiber
Memory 16 GB, 4 x 4GB 1600 MHz RDIMM
Chapter 5. QRadar M4 appliance overview 51
Table 44. QRadar QFlow Collector 1202-C/1301-C specifications (continued)
Description Value
Storage 600 GB 10 K rpm SAS, 600 GB total (RAID 1)
Power supply Dual Redundant 750 W AC
Dimensions 27.57 inches deep x 18.99 inches wide x 1.68 inches high
Includedcomponents
QRadar QFlow Collector
Picture: © 2018 Dell Inc. or its subsidiaries. All Rights Reserved
Figure 20. QRadar QFlow Collector 1202-C/1301-C
Table 45. Legend for use with the QRadar QFlow Collector 1202-C/1301-C image
Label Description
1 QRadar firmware storage
2 IMM port (1 GbE TX)
3 Management ports (10 GbE SFP+)
4 Management ports (1 GbE TX)
5 Network packet capture (SFP)
For information about battery replacement, watch the PowerEdge R630: Remove/Install System Batteryvideo (http://www.dell.com/support/contents/us/en/19/videos/videoPlayer/R3dGJkcDrKfQHglE-qqPpuGprIpm_uF-).
QRadar QFlow Collector 1301The IBM QRadar QFlow Collector 1301 (MTM 4380-Q4C) appliance provides high capacity and scalableLayer 7 application data collection for distributed deployments. The QRadar QFlow Collector 1301 alsosupports external flow-based data sources.
View hardware information and requirements for the QRadar QFlow Collector 1301 in the following table:
Table 46. QRadar QFlow Collector 1301
Description Value
Network traffic 3 Gbps
52 IBM Security QRadar : QRadar Hardware Guide
Table 46. QRadar QFlow Collector 1301 (continued)
Description Value
Interfaces Napatech Network Adapter, providing four 1 Gbps 1000 Base SX Multi-ModeFiber network monitoring interfaces
Two 10 Gbps SFP + ports
One 10/100/1000 Base-T QRadar management interface
One 10/100/1000 Base-T integrated management module interface
Memory 16 GB, 4 x 4GB 1600 MHz RDIMM
Storage 2 x 2.5 inch 600 GB 10 K rpm SAS, 600 GB total (RAID 1)
Power supply Dual Redundant 550 W AC
Dimensions 28.9 inches deep x 16.9 inches wide x 1.7 inches high
Includedcomponents
QRadar QFlow Collector
NT4E-STD Napatech Network Adaptor
For more information about QRadar QFlow Collector appliances, including front and back panel diagrams,see IBM System X3550 M4 (https://lenovopress.com/tips0851-system-x3550-m4-e5-2600-v2).
QRadar QFlow Collector 1310The IBM QRadar QFlow Collector 1310 (MTM 4380-Q5C) appliance provides high capacity and scalableLayer 7 application data collection for distributed deployments. The QRadar QFlow Collector 1310 alsosupports external flow-based data sources.
View hardware information and requirements for the QRadar QFlow Collector 1310 in the following table:
Table 47. QRadar QFlow Collector 1310
Description Value
Network traffic 10 Gbps
Interfaces Napatech Network Adapter for fiber, providing two 10 Gbps SFP + networkmonitoring interfaces
One 10/100/1000 Base-T QRadar management interface
One 10/100/1000 Base-T integrated management module interface
Memory 16 GB, 4 x 4GB 1600 MHz RDIMM
Storage 2 x 2.5 inch 600 GB 10 K rpm SAS, 600 GB total (RAID 1)
Power supply Dual Redundant 550 W AC
Dimensions 28.9 inches deep x 16.9 inches wide x 1.7 inches high
Includedcomponents
QRadar QFlow Collector
NT20E2 Napatech Network Adaptor
For more information about QRadar QFlow Collector appliances, including front and back panel diagrams,see IBM System X3550 M4 (https://lenovopress.com/tips0851-system-x3550-m4-e5-2600-v2).
Chapter 5. QRadar M4 appliance overview 53
QRadar QFlow Collector 1310 SR-C/LR-CThe IBM QRadar Core Appliance QFlow Collector 1310SR-C and LR-C (MTM 4380-Q2G) applianceprovides high capacity and scalable Layer 7 application data collection for distributed deployments. TheSR model includes short range transceivers. The LR model includes long range transceivers.
View hardware information and requirements for the QRadar QFlow Collector 1310 SR-C/LR-C in thefollowing table:
Table 48. QRadar QFlow Collector 1310 SR-C/LR-C specifications
Description Value
Network traffic 10 Gbps
Interfaces Two 10/100/1000 Base-T network monitoring interfaces
Two 10 Gbps SFP + ports
One 10/100/1000 Base-T QRadar management interface
One 10/100/1000 Base-T integrated management module interface
Napatech Network Adapter for fiber, providing two 10 Gbps SFP + networkmonitoring interfaces.
Memory 16 GB, 4 x 4GB 1600 MHz RDIMM
Storage 600 GB 10 K rpm SAS, 600 GB total (RAID 1)
Power supply Dual Redundant 750 W AC
Dimensions 27.57 inches deep x 18.99 inches wide x 1.68 inches high
Includedcomponents
QRadar QFlow Collector
NT20E2 Napatech Network Adaptor
Picture: © 2018 Dell Inc. or its subsidiaries. All Rights Reserved
Figure 21. QRadar QFlow Collector 1310 SR-C/LR-C
Table 49. Legend for use with the QRadar QFlow Collector 1310 SR-C/LR-C image
Label Description
1 QRadar firmware storage
2 IMM port (1 GbE TX)
3 Management ports (10 GbE SFP+)
54 IBM Security QRadar : QRadar Hardware Guide
Table 49. Legend for use with the QRadar QFlow Collector 1310 SR-C/LR-C image (continued)
Label Description
4 Management ports (1 GbE TX)
5 Network packet capture (SFP/SFP+)
For information about battery replacement, watch the PowerEdge R630: Remove/Install System Batteryvideo (http://www.dell.com/support/contents/us/en/19/videos/videoPlayer/R3dGJkcDrKfQHglE-qqPpuGprIpm_uF-).
QRadar Event Collector 1501The IBM QRadar Event Collector 1501 (MTM 4380-Q2C) appliance is a dedicated event collector. Bydefault, a dedicated event collector collects and parses event from various log sources and continuouslyforwards these events to an event processor. You can configure the QRadar Event Collector 1501appliance to temporarily store events and only forward the stored events on a schedule. A dedicatedevent collector does not process events and it does not include an on-board event processor.
View hardware information and requirements for the QRadar Event Collector 1501 in the following table:
Table 50. QRadar Event Collector 1501 specifications
Description Value
Events per second 15,000 EPS
Network traffic 1 Gbps
Interfaces Five 10/100/1000 Base-T network monitoring interfaces
Two 10 Gbps SFP + ports
One 10/100/1000 Base-T QRadar management interface
One 10/100/1000 Base-T integrated management module interface
Memory 16 GB, 4 x 4GB 1600 MHz RDIMM
Storage 2 x 2.5 inch 600 GB 10 K rpm SAS, 600 GB total (RAID 1)
Power supply Dual Redundant 550 W AC
Dimensions 28.9 inches deep x 16.9 inches wide x 1.7 inches high
Includedcomponents
Event Collector
For more information about QRadar Event Collectors, including front and back panel diagrams, see IBMSystem X3550 M4 (https://lenovopress.com/tips0851-system-x3550-m4-e5-2600-v2).
QRadar Network Insights 1920-CThe IBM QRadar Network Insights 1920-C (MTM 4531-F3F) appliance provides detailed analysis ofnetwork flows to extend the threat detection capabilities of IBM QRadar.
The appliance has two Napatech cards, each with four ports. By default, the four ports on the firstnetwork capture card are configured for inbound traffic from the network tap. If the appliance is includedin a stack, the ports are reconfigured for 2 inbound and 2 outbound. For more information about cablingstacked appliances, see the IBM QRadar Network Insights Installation Guide.
Chapter 5. QRadar M4 appliance overview 55
The second Napatech card is cabled internally for load balancing and cannot not be used. If you use theseports when you cable the appliance, you do not get any data.
The following table shows the hardware information and requirements for the IBM QRadar NetworkInsights 1920-C (MTM 4531-F3F) appliance:
Table 51. QRadar Network Insights 1920-C overview
Description Value
Dimensions 26.92 inches deep x 17.49 inches wide x 3.44 inches high
Power Dual redundant 750 Watt AC power supply
Storage 2x 200 GB SSD (Raid 1)
The storage is labeled as [1] in the appliance diagram.
Memory 128 GB (8 x16 GB DDR4 2400MHz)
Network capturetransceivers
2x 10Gb Short Range Fiber Transceivers (Avago AFBR-703SDZ or AFBR-709SMZ)
2x 1G TX RJ-45 Transceivers (Avago ABCU-5710RZ or ABCU-5740RZ)
2x 1G SX LC Transceivers (Avago AFBR-5715PZ)
Use these transceivers with the network packet capture card, labeled as [2] in theappliance diagram.
Networkmanagementtransceivers
2x 10G Short Range SFP
The transceivers may have one of the following part numbers:
• Avago AFBR-709SMZ-IB8• Finisar FTLX8571D3BCL-BN• BNT BN-CKM-SP-SR
Use these transceivers with the management ports, labeled as [4] in the appliancediagram.
System performance of QRadar Network Insights appliances varies depending on the exact configurationand tuning of the system components. It is influenced not only by hardware, but also factors such as thesearch, extraction criteria, and the amount of network data. For more information, see Performanceimpacts in the IBM QRadar Network Insights Installation Guide.
56 IBM Security QRadar : QRadar Hardware Guide
Figure 22. Back panel of the QRadar Network Insights 1920-C appliance
Table 52. Legend for use with the QRadar Network Insights 1920-C image
Label Description
1 QRadar Firmware Storage
2 IMM Port (1GbE TX)
3 Cabled internally. Do not use these ports.
4 Management ports (10 GbE SFP+)
5 Management ports (1 GbE TX)
6 Network Packet Capture (SFP/SFP+)
QRadar Incident ForensicsUse IBM QRadar Incident Forensics to retrace the step-by-step actions of a potential attacker, andconduct an in-depth forensics investigation of suspected malicious network security incidents. QRadarIncident Forensics reduces the time it takes security teams to investigate offense records. It can also helpyou remediate a network security breach and prevent it from happening again.
View hardware information and requirements for the QRadar Incident Forensics in the following table:
Chapter 5. QRadar M4 appliance overview 57
Table 53. QRadar Incident Forensics
Description Value
Interfaces One 2-port Emulex 8Gbps FC
Two 10/100/1000 Base-T network monitoring interfaces
One 10/100/1000 Base-T QRadar management interface
One 10/100/1000 Base-T integrated management module interface
Two 10 Gbps SFP + ports
Memory 128 GB, 8 x 16 GB 1866 MHz RDIMM8
Storage 12 x 3.5 inch 4 TB SAS 7.2 K rpm, 48 TB total, 34 TB usable (RAID 6)
Power supply Dual Redundant 900 W AC Power Supply
Dimensions 29.5 inches deep x 17.6 inches wide x 3.4 inches high
For more information about QRadar Incident Forensics appliances, including front and back paneldiagrams, see IBM System X3650 M4 BD (https://lenovopress.com/tips1102-system-x3650-m4-bd).
QRadar Packet CaptureIBM QRadar Incident Forensics offers an optional IBM QRadar Packet Capture appliance to store andmanage data that is used by QRadar Incident Forensics when no other network packet capture (PCAP)device is deployed. Any number of these appliances can be installed as a tap on a network or sub-network to collect the raw packet data.
View hardware information and requirements for QRadar Packet Capture in the following table:
Table 54. QRadar Packet Capture overview
Description Value
Interfaces Two 10/100/1000 Base-T network monitoring interfaces
One 10/100/1000 Base-T IBM QRadar management interface
One 10/100/1000 Base-T integrated management module interface
Four 10 Gbps SFP + ports
Memory 128 GB, 8 x 16 GB 1866 MHz RDIMM8
Storage 12 x 3.5 inch 4 TB SAS 7.2 K rpm, 41 TB total, 32 TB usable (RAID 5)
Power supply Dual Redundant 900 W AC Power Supply
Dimensions 29.5 inches deep x 17.6 inches wide x 3.4 inches high
Includedcomponents
Flow Processor
QRadar Packet Capture Data Node
For more information about QRadar Packet Capture appliances, including front and back panel diagrams,see IBM System X3650 M4 BD (https://lenovopress.com/tips1102-system-x3650-m4-bd).
58 IBM Security QRadar : QRadar Hardware Guide
QRadar Network Packet Capture-CQRadar Network Packet Capture-C (MTM 4531-F2C) offers an optional QRadar Network Packet Capture-Cappliance to store and manage data that is used by QRadar Incident Forensics when no other networkpacket capture (PCAP) device is deployed. Any number of these appliances can be installed as a tap on anetwork or subnetwork to collect the raw packet data.
View hardware information and requirements for the QRadar Network Packet Capture-C in the followingtable.
Table 55. QRadar Network Packet Capture-C
Description Value
Interfaces Two Napatech Network Adapter for fiber, providing four 10 GbE SFP+, 1GbESFP
SR SFP+ Transceivers
SX SFP Transceivers
TX SFP Transceivers
Three 10/100/1000 Base-T network monitoring interfaces
One 10/100/1000 Base-T QRadar management interface
One 10/100/1000 Base-T integrated remote system management interface
Two 10 GbE SFP+ ports
Memory 128 GB, 8 x16 GB 2133 MT/s DDR4 RDIMM
Storage 2x 1 TB 2.5" SAS (RAID 1), 12x 6 TB 3.5" SAS (RAID 6)
Power supply Dual redundant 750 W AC
Dimensions 2U, 26.92 inches deep x 17.49 inches wide x 3.44 inches high
Picture: © 2018 Dell Inc. or its subsidiaries. All Rights Reserved
Figure 23. QRadar Network Packet Capture-C
Table 56. Legend for use with the QRadar Network Packet Capture-C image
Label Description
1 Packet capture storage
Chapter 5. QRadar M4 appliance overview 59
Table 56. Legend for use with the QRadar Network Packet Capture-C image (continued)
Label Description
2 IMM port (1GbE TX)
3 External RAID DAS ports
4 Management ports (10 GbE SFP+)
5 Management ports (1 GbE TX)
6 Network packet capture (SFP/SFP+)
7 QRadar firmware storage
60 IBM Security QRadar : QRadar Hardware Guide
Chapter 6. QRadar M3 appliance overviewReview information about IBM QRadar to understand hardware and license requirements.
Review this overview of QRadar appliances, including capabilities, and license limitations.
QRadar xx05Use the IBM QRadar xx05 (MTM 4379-Q05) for various appliance types in your deployment.
The QRadar xx05 can be used for the following appliances:
• QRadar Event Processor 1605• QRadar Flow Processor 1705• QRadar 1805• QRadar 3105 (All-in-One)• QRadar 3105 (Console)• QRadar Log Manager 1605• QRadar Log Manager 3105 (All-in-One)• QRadar Log Manager 3105 Console• QRadar Vulnerability Manager• QRadar Risk Manager• QRadar 1400 Data Node
View hardware information and requirements for the QRadar xx05 in the following table:
Table 57. QRadar xx05
Description Value
Maximum capacity QRadar Event Processor 1605 20,000 EPS
QRadar Flow Processor 1705 1,200,000 FPM
QRadar 1805 200,000 FPM, 5,000 EPS
QRadar 3105 (All-in-One) 200,000 FPM, 5,000 EPS
QRadar Vulnerability Manager up to 32,768 assets
Interfaces Four 10/100/1000 Base-T network monitoring interfaces
QRadar Vulnerability Manager and QRadar Risk Manager Two 10/100/1000Base-T network monitoring interfaces
One 10/100/1000 Base-T QRadar management interface
Memory 48 GB
Storage 6.2 TB or larger dedicated event storage
Power supply Dual Redundant 675 W AC Power Supply
Dimensions 29.5 inches deep x 19.2 inches wide x 3.4 inches high
© Copyright IBM Corp. 2014, 2019 61
Table 57. QRadar xx05 (continued)
Description Value
Included components Event Collector
Event Processor
Flow Processor
Internal storage for events and flows
QRadar Vulnerability Manager
QRadar Risk Manager
QRadar Data Node appliance
The QRadar 3105 (All-in-One) requires external QRadar QFlow Collectors for layer 7 network activitymonitoring.
For more information about QRadar xx05 appliances, including front and back panel diagrams, see IBMSystem x3630 M3 (https://lenovopress.com/tips0807).
QRadar xx24Use the IBM QRadar xx24 (MTM 4379-Q24) for various appliance types in your deployment.
The QRadar xx24 can be used for the following appliances:
• QRadar Event Processor 1624• QRadar Flow Processor 1724• QRadar 3124 (All-in-One)• QRadar 3124 (Console)• QRadar Log Manager 1624• QRadar Log Manager 3124 (All-in-One)• QRadar Log Manager 3124 Console• QRadar 1400 Data Node
View hardware information and requirements for the QRadar xx24 in the following table:
Table 58. QRadar xx24
Description Value
Maximum capacity QRadar Event Processor 1624 20,000 EPS
QRadar Flow Processor 1724 1,200,000 FPM
QRadar 3124 (All-in-One) 200,000 FPM, 5,000 EPS
Interfaces Two 10/100/1000 Base-T network monitoring interfaces
One 10/100/1000 Base-T QRadar management interface
Memory 64 GB
Storage 16 TB or larger dedicated event storage
Power supply Dual Redundant 675 W AC Power Supply
Dimensions 29.5 inches deep x 19.2 inches wide x 3.4 inches high
62 IBM Security QRadar : QRadar Hardware Guide
Table 58. QRadar xx24 (continued)
Description Value
Included components Event Collector
Event Processor
Flow Processor
Internal storage for events and flows
QRadar Data Node appliance
The QRadar 3124 (All-in-One) requires external QRadar QFlow Collectors for layer 7 network activitymonitoring.
For more information about QRadar xx24 appliances, including front and back panel diagrams, see IBMSystem x3630 M3 (https://lenovopress.com/tips0807).
QRadar 21xxThe IBM QRadar 2100 (MTM 4378-Q21) appliance is an all-in-one system that combines NetworkBehavioral Anomaly Detection (NBAD) and Security Information and Event Management (SIEM) toaccurately identify and appropriately prioritize threats that occur on your network.
Note: If you are upgrading a QRadar 21xx appliance from V7.2.8 or earlier, larger apps such as Pulse,QDI, or User Behavior Analytics can cause overall performance issues on the Console. Apps can beoffloaded to a App Host to provide extra storage, memory, and CPU resources for your apps withoutimpacting the processing capacity of your Console.
View hardware information and requirements for the QRadar 21xx in the following table:
Table 59. QRadar 21xx overview
Description Value
Maximum capacity 1,000 EPS
50,000 FPM
Interfaces Six 10/100/1000 Base-T network monitoring interfaces
One 10/100/1000 Base-T management interface
Memory 24 GB
Storage 1.3 TB or larger
Power supply Dual Redundant 675W AC Power Supply
Dimensions 28" D x 17.3" W x 1.69" H
Includedcomponents
Event Collector
Event Processor
Single QRadar QFlow Collector, which supports up to 50 Mbps
Additional QRadar QFlow Collectors are sold separately.
For more information about QRadar 21xx appliances, including front and back panel diagrams, see IBMSystem x3550 M3 (https://lenovopress.com/tips0804).
Chapter 6. QRadar M3 appliance overview 63
QRadar QFlow Collector 1201The IBM QRadar QFlow Collector 1201 (MTM 4378-QC1) appliance provides high capacity and scalableLayer 7 application data collection for distributed deployments. The QRadar QFlow Collector 1201 alsosupports external flow-based data sources.
View hardware information and requirements for the QRadar QFlow Collector 1201 in the following table:
Table 60. QRadar QFlow Collector 1201
Description Value
Network traffic 200 Mbps
Interfaces Six 10/100/1000 Base-T network monitoring interfaces
One management interface
Memory 6 GB
Storage 146 GB
Power supply Dual Redundant 460W AC Power Supply
Dimensions 28" D x 17.3" W x 1.69" H
Includedcomponents
QRadar QFlow Collector 1201
For more information about QRadar QFlow Collector appliances, including front and back panel diagrams,see IBM System x3550 M3 (https://lenovopress.com/tips0804).
QRadar QFlow Collector 1202The IBM QRadar QFlow Collector 1202 (MTM 4378-QC2) appliance provides high capacity and scalableLayer 7 application data collection for distributed deployments. The QRadar QFlow Collector 1202 alsosupports external flow-based data sources.
View hardware information and requirements for the QRadar QFlow Collector 1202 in the following table:
Table 61. QRadar QFlow Collector 1202
Description Value
Network traffic 2 Gbps
Interfaces Four 10/100/1000 Base-T network monitoring interfaces
One System Management Ethernet Connector
Memory 6 GB
Storage 146 GB
Power supply Dual Redundant 460W AC
Dimensions 28" D x 17.3" W x 1.69" H
Includedcomponents
QRadar QFlow Collector 1202
NT4E-STD Napatech Network Adaptor
64 IBM Security QRadar : QRadar Hardware Guide
For more information about QRadar M3 2100, QRadar Event Collector 1501, and all QRadar FlowProcessor appliances, including front and back panel diagrams, see IBM System x3550 M3 (https://lenovopress.com/tips0804).
QRadar QFlow Collector 1301The IBM QRadar QFlow Collector 1301 (MTM 4378-QD1) appliance provides high capacity and scalableLayer 7 application data collection for distributed deployments. The QRadar QFlow Collector 1301 alsosupports external flow-based data sources.
View hardware information and requirements for the QRadar QFlow Collector 1301 in the following table:
Table 62. QRadar QFlow Collector 1301
Description Value
Network traffic 2 Gbps
Interfaces Four 10/100/1000 Base-T network monitoring interfaces
One System Management Ethernet Connector
Memory 6 GB
Storage 146 GB
Power supply Dual Redundant 460W AC Power Supply
Dimensions 28" D x 17.3" W x 1.69" H
Includedcomponents
QRadar QFlow Collector 1301
NT4E-STD Napatech Network Adaptor
For more information about QRadar M3 2100, QRadar Event Collector 1501, and all QRadar FlowProcessor appliances, including front and back panel diagrams, see IBM System x3550 M3 (https://lenovopress.com/tips0804).
QRadar QFlow Collector 1310The IBM QRadar QFlow Collector 1310, -SR (MTM 4378-QSR) or -LR (MTM 4378-QLR), applianceprovides high capacity and scalable Layer 7 application data collection for distributed deployments. TheQRadar QFlow Collector 1310 also supports external flow-based data sources.
View hardware information and requirements for the QRadar QFlow Collector 1310 in the following table:
Table 63. QRadar QFlow Collector 1310
Description Value
Network traffic 3 GBps
Interfaces Two 10 Gbps XFP
One System Management Ethernet Connector
Memory 8 GB
Storage 300 GB
Power supply Dual Redundant 460W AC Power Supply
Dimensions 28" D x 17.3" W x 1.69" H
Chapter 6. QRadar M3 appliance overview 65
Table 63. QRadar QFlow Collector 1310 (continued)
Description Value
Includedcomponents
QRadar QFlow Collector 1310
NT20E Napatech Network Adaptor
For more information about QRadar M3 2100, QRadar Event Collector 1501, and all QRadar FlowProcessor appliances, including front and back panel diagrams, see IBM System x3550 M3 (https://lenovopress.com/tips0804).
QRadar Event Collector 1501The IBM QRadar Event Collector 1501 (MTM 4378-Q21) appliance is a dedicated event collector. Bydefault, a dedicated event collector collects and parses event from various log sources and continuouslyforwards these events to an event processor. You can configure the QRadar Event Collector 1501appliance to temporarily store events and only forward the stored events on a schedule. A dedicatedevent collector does not process events and it does not include an on-board event processor.
View hardware information and requirements for the QRadar Event Collector 1501 in the following table:
Table 64. QRadar Event Collector 1501
Description Value
Events per second 2500 EPS
Interfaces Six 10/100/1000 Base-T network monitoring interfaces
One 10/100/1000 Base-T management interface
Memory 24 GB
Storage 1.3 TB dedicated storage
Power supply Dual Redundant 675W AC Power Supply
Dimensions 28" D x 17.3" W x 1.69" H
Includedcomponents
QRadar Event Collector 1501
For more information about QRadar Event Collectors, including front and back panel diagrams, see IBMSystem x3550 M3 (https://lenovopress.com/tips0804).
66 IBM Security QRadar : QRadar Hardware Guide
Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in other countries.Consult your local IBM representative for information on the products and services currently available inyour area. Any reference to an IBM product, program, or service is not intended to state or imply that onlythat IBM product, program, or service may be used. Any functionally equivalent product, program, orservice that does not infringe any IBM intellectual property right may be used instead. However, it is theuser's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in thisdocument. The furnishing of this document does not grant you any license to these patents. You can sendlicense inquiries, in writing, to:
IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte character set (DBCS) information, contact the IBM IntellectualProperty Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan Ltd. 19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS"WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR APARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied warranties incertain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodicallymade to the information herein; these changes will be incorporated in new editions of the publication.IBM may make improvements and/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.
Any references in this information to non-IBM websites are provided for convenience only and do not inany manner serve as an endorsement of those websites. The materials at those websites are not part ofthe materials for this IBM product and use of those websites is at your own risk.
IBM may use or distribute any of the information you provide in any way it believes appropriate withoutincurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) theexchange of information between independently created programs and other programs (including thisone) and (ii) the mutual use of the information which has been exchanged, should contact:
IBM Director of LicensingIBM CorporationNorth Castle Drive, MD-NC119Armonk, NY 10504-1785US
Such information may be available, subject to appropriate terms and conditions, including in some cases,payment of a fee.
© Copyright IBM Corp. 2014, 2019 67
The licensed program described in this document and all licensed material available for it are provided byIBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or anyequivalent agreement between us.
The performance data and client examples cited are presented for illustrative purposes only. Actualperformance results may vary depending on specific configurations and operating conditions..
Information concerning non-IBM products was obtained from the suppliers of those products, theirpublished announcements or other publicly available sources. IBM has not tested those products andcannot confirm the accuracy of performance, compatibility or any other claims related to non-IBMproducts. Questions on the capabilities of non-IBM products should be addressed to the suppliers ofthose products.
Statements regarding IBM's future direction or intent are subject to change or withdrawal without notice,and represent goals and objectives only.
All IBM prices shown are IBM's suggested retail prices, are current and are subject to change withoutnotice. Dealer prices may vary.
This information contains examples of data and reports used in daily business operations. To illustratethem as completely as possible, the examples include the names of individuals, companies, brands, andproducts. All of these names are fictitious and any similarity to actual people or business enterprises isentirely coincidental.
TrademarksIBM, the IBM logo, and ibm.com® are trademarks or registered trademarks of International BusinessMachines Corp., registered in many jurisdictions worldwide. Other product and service names might betrademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at"Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Terms and conditions for product documentationPermissions for the use of these publications are granted subject to the following terms and conditions.
Applicability
These terms and conditions are in addition to any terms of use for the IBM website.
Personal use
You may reproduce these publications for your personal, noncommercial use provided that all proprietarynotices are preserved. You may not distribute, display or make derivative work of these publications, orany portion thereof, without the express consent of IBM.
Commercial use
You may reproduce, distribute and display these publications solely within your enterprise provided thatall proprietary notices are preserved. You may not make derivative works of these publications, orreproduce, distribute or display these publications or any portion thereof outside your enterprise, withoutthe express consent of IBM.
Rights
Except as expressly granted in this permission, no other permissions, licenses or rights are granted, eitherexpress or implied, to the publications or any information, data, software or other intellectual propertycontained therein.
68 Notices
IBM reserves the right to withdraw the permissions granted herein whenever, in its discretion, the use ofthe publications is detrimental to its interest or, as determined by IBM, the above instructions are notbeing properly followed.
You may not download, export or re-export this information except in full compliance with all applicablelaws and regulations, including all United States export laws and regulations.
IBM MAKES NO GUARANTEE ABOUT THE CONTENT OF THESE PUBLICATIONS. THE PUBLICATIONS AREPROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE.
IBM Online Privacy StatementIBM Software products, including software as a service solutions, (“Software Offerings”) may use cookiesor other technologies to collect product usage information, to help improve the end user experience, totailor interactions with the end user or for other purposes. In many cases no personally identifiableinformation is collected by the Software Offerings. Some of our Software Offerings can help enable you tocollect personally identifiable information. If this Software Offering uses cookies to collect personallyidentifiable information, specific information about this offering’s use of cookies is set forth below.
Depending upon the configurations deployed, this Software Offering may use session cookies that collecteach user’s session id for purposes of session management and authentication. These cookies can bedisabled, but disabling them will also eliminate the functionality they enable.
If the configurations deployed for this Software Offering provide you as customer the ability to collectpersonally identifiable information from end users via cookies and other technologies, you should seekyour own legal advice about any laws applicable to such data collection, including any requirements fornotice and consent.
For more information about the use of various technologies, including cookies, for these purposes, SeeIBM’s Privacy Policy at http://www.ibm.com/privacy and IBM’s Online Privacy Statement at http://www.ibm.com/privacy/details the section entitled “Cookies, Web Beacons and Other Technologies” andthe “IBM Software Products and Software-as-a-Service Privacy Statement” at http://www.ibm.com/software/info/product-privacy.
General Data Protection RegulationClients are responsible for ensuring their own compliance with various laws and regulations, including theEuropean Union General Data Protection Regulation. Clients are solely responsible for obtaining advice ofcompetent legal counsel as to the identification and interpretation of any relevant laws and regulationsthat may affect the clients’ business and any actions the clients may need to take to comply with suchlaws and regulations. The products, services, and other capabilities described herein are not suitable forall client situations and may have restricted availability. IBM does not provide legal, accounting orauditing advice or represent or warrant that its services or products will ensure that clients are incompliance with any law or regulation.
Learn more about the IBM GDPR readiness journey and our GDPR capabilities and Offerings here: https://ibm.com/gdpr
Notices 69
70 IBM Security QRadar : QRadar Hardware Guide
IBM®
top related